diff options
author | abcang <abcang1015@gmail.com> | 2018-04-17 22:23:46 +0900 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2018-04-17 15:23:46 +0200 |
commit | 897199910fc29d17b4a019b6ee2473e138d777a2 (patch) | |
tree | 21eceb5c6212f770c876755e5f901469892ce3ce /app/controllers/api | |
parent | 204d72fbe49b3749e168ed2cd0ff83706946352a (diff) |
Improve web api protect (#6343)
Diffstat (limited to 'app/controllers/api')
-rw-r--r-- | app/controllers/api/web/base_controller.rb | 9 | ||||
-rw-r--r-- | app/controllers/api/web/embeds_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/api/web/push_subscriptions_controller.rb | 3 | ||||
-rw-r--r-- | app/controllers/api/web/settings_controller.rb | 2 |
4 files changed, 12 insertions, 4 deletions
diff --git a/app/controllers/api/web/base_controller.rb b/app/controllers/api/web/base_controller.rb new file mode 100644 index 000000000..8da549b3a --- /dev/null +++ b/app/controllers/api/web/base_controller.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class Api::Web::BaseController < Api::BaseController + protect_from_forgery with: :exception + + rescue_from ActionController::InvalidAuthenticityToken do + render json: { error: "Can't verify CSRF token authenticity." }, status: 422 + end +end diff --git a/app/controllers/api/web/embeds_controller.rb b/app/controllers/api/web/embeds_controller.rb index 2ed516161..f2fe74b17 100644 --- a/app/controllers/api/web/embeds_controller.rb +++ b/app/controllers/api/web/embeds_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Web::EmbedsController < Api::BaseController +class Api::Web::EmbedsController < Api::Web::BaseController respond_to :json before_action :require_user! diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb index c611031ab..249e7c186 100644 --- a/app/controllers/api/web/push_subscriptions_controller.rb +++ b/app/controllers/api/web/push_subscriptions_controller.rb @@ -1,10 +1,9 @@ # frozen_string_literal: true -class Api::Web::PushSubscriptionsController < Api::BaseController +class Api::Web::PushSubscriptionsController < Api::Web::BaseController respond_to :json before_action :require_user! - protect_from_forgery with: :exception def create active_session = current_session diff --git a/app/controllers/api/web/settings_controller.rb b/app/controllers/api/web/settings_controller.rb index f6739d506..e3178bf48 100644 --- a/app/controllers/api/web/settings_controller.rb +++ b/app/controllers/api/web/settings_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Web::SettingsController < Api::BaseController +class Api::Web::SettingsController < Api::Web::BaseController respond_to :json before_action :require_user! |