From 62c6e12fa58adea57954e395d10d0ffc2c0cd73c Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Wed, 6 Apr 2022 20:57:18 +0200
Subject: Fix admin API unconditionally requiring CSRF token (#17975)

Fixes #17898

Since #17204, the admin API has only been available through the web
application because of the unconditional requirement to provide a valid CSRF
token.

This commit changes it back to `null_session`, which should make it work
both with session-based authentication (provided a CSRF token) and with a
bearer token.
---
 app/controllers/api/v1/admin/trends/links_controller.rb    | 2 --
 app/controllers/api/v1/admin/trends/statuses_controller.rb | 2 --
 app/controllers/api/v1/admin/trends/tags_controller.rb     | 2 --
 3 files changed, 6 deletions(-)

(limited to 'app/controllers/api/v1/admin/trends')

diff --git a/app/controllers/api/v1/admin/trends/links_controller.rb b/app/controllers/api/v1/admin/trends/links_controller.rb
index 63b3d9358..0a191fe4b 100644
--- a/app/controllers/api/v1/admin/trends/links_controller.rb
+++ b/app/controllers/api/v1/admin/trends/links_controller.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class Api::V1::Admin::Trends::LinksController < Api::BaseController
-  protect_from_forgery with: :exception
-
   before_action -> { authorize_if_got_token! :'admin:read' }
   before_action :require_staff!
   before_action :set_links
diff --git a/app/controllers/api/v1/admin/trends/statuses_controller.rb b/app/controllers/api/v1/admin/trends/statuses_controller.rb
index 86633cc74..cb145f165 100644
--- a/app/controllers/api/v1/admin/trends/statuses_controller.rb
+++ b/app/controllers/api/v1/admin/trends/statuses_controller.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class Api::V1::Admin::Trends::StatusesController < Api::BaseController
-  protect_from_forgery with: :exception
-
   before_action -> { authorize_if_got_token! :'admin:read' }
   before_action :require_staff!
   before_action :set_statuses
diff --git a/app/controllers/api/v1/admin/trends/tags_controller.rb b/app/controllers/api/v1/admin/trends/tags_controller.rb
index 5cc4c269d..9c28b0412 100644
--- a/app/controllers/api/v1/admin/trends/tags_controller.rb
+++ b/app/controllers/api/v1/admin/trends/tags_controller.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class Api::V1::Admin::Trends::TagsController < Api::BaseController
-  protect_from_forgery with: :exception
-
   before_action -> { authorize_if_got_token! :'admin:read' }
   before_action :require_staff!
   before_action :set_tags
-- 
cgit