Add global protect_from_forgery

Grepping the git logs didn’t bring up a good reason for this to be
excluded. Seems like it came along after the app was initially created
so it never got fully added for fear of regressions. The specs pass for this
commit.

6 files changed, 2 insertions, 13 deletions

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 3bf40b8f9..7760c372b 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -9,7 +9,6 @@ require 'fileutils'
 class AdminController < ApplicationController
     layout "admin"
     before_filter :authenticate
-    protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
     # action to take if expecting an authenticity token and one isn't received
     def handle_unverified_request
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 4d3f40d40..445a13d0c 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -14,6 +14,8 @@ class ApplicationController < ActionController::Base
     end
     class RouteNotFound < StandardError
     end
+    protect_from_forgery
+
     # assign our own handler method for non-local exceptions
     rescue_from Exception, :with => :render_exception
 
diff --git a/app/controllers/comment_controller.rb b/app/controllers/comment_controller.rb
index 2c0037577..890e9faaa 100644
--- a/app/controllers/comment_controller.rb
+++ b/app/controllers/comment_controller.rb
@@ -10,7 +10,6 @@ class CommentController < ApplicationController
     before_filter :create_track_thing, :only => [ :new ]
     before_filter :reject_unless_comments_allowed, :only => [ :new ]
     before_filter :reject_if_user_banned, :only => [ :new ]
-    protect_from_forgery :only => [ :new ]
 
     def new
         if params[:comment]
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 9e2c291dc..43404574d 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -10,7 +10,6 @@ require 'open-uri'
 
 class RequestController < ApplicationController
     before_filter :check_read_only, :only => [ :new, :show_response, :describe_state, :upload_response ]
-    protect_from_forgery :only => [ :new, :show_response, :describe_state, :upload_response ] # See ActionController::RequestForgeryProtection for details
     before_filter :check_batch_requests_and_user_allowed, :only => [ :select_authorities, :new_batch ]
     MAX_RESULTS = 500
     PER_PAGE = 25
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index 83700a55b..7018af03c 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -6,9 +6,6 @@
 # Email: hello@mysociety.org; WWW: http://www.mysociety.org/
 
 class TrackController < ApplicationController
-
-    protect_from_forgery # See ActionController::RequestForgeryProtection for details
-
     before_filter :medium_cache
 
     # Track all updates to a particular request
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..108a6e9e5 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -7,15 +7,8 @@
 require 'set'
 
 class UserController < ApplicationController
-
     layout :select_layout
 
-    protect_from_forgery :only => [ :contact,
-                                    :set_profile_photo,
-                                    :signchangeemail,
-                                    :clear_profile_photo,
-                                    :set_profile_about_me ] # See ActionController::RequestForgeryProtection for details
-
     # Show page about a user
     def show
         long_cache