Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Browse Source

- Skip CSRF validation if `config.action_controller.allow_forgery_protection` is disabled (Rails standard).
- Improved CSRF request method check (inspired by Rails).

Thorsten Eckel 6 years ago
parent
b96de74964
commit
348429940d
1 changed files with 4 additions and 2 deletions
Split View Show Diff Stats
  1. 4 2
      app/controllers/application_controller/prevents_csrf.rb

+ 4 - 2
app/controllers/application_controller/prevents_csrf.rb
View File 

@@ -14,8 +14,10 @@ module ApplicationController::PreventsCsrf
 
   end
 
 
   def verify_csrf_token
 
-    return true if request.method != 'POST' && request.method != 'PUT' && request.method != 'DELETE' && request.method != 'PATCH'
 
-    return true if @_auth_type == 'token_auth' || @_auth_type == 'basic_auth'
 
+    return true if !protect_against_forgery?
 
+    return true if request.get?
 
+    return true if request.head?
 
+    return true if %w[token_auth basic_auth].include?(@_auth_type)
 
     return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token'])
 
     logger.info 'CSRF token verification failed'
 
     raise Exceptions::NotAuthorized, 'CSRF token verification failed!'