Adding CSRF protection for admin forms.

author: Louise Crow <louise.crow@gmail.com> 2011-02-24 13:47:52 +0000
committer: Louise Crow <louise.crow@gmail.com> 2011-02-24 13:47:52 +0000
commit: 3757bb52c0aa86b779b00428d7ebe35b30cea1ee (patch)
tree: b92ffbf5d9ebe218c4c0e9fcbeb7aed40d77cd8d /app/controllers/admin_controller.rb
parent: 1ea1181a028564119c7a90b0095c9dfaed3a12e3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 4734146a8..76b4f66e7 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -11,12 +11,17 @@ require 'fileutils'
 class AdminController < ApplicationController
     layout "admin"
     before_filter :assign_http_auth_user
+    protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
     # Always give full stack trace for admin interface
     def local_request?
         true
     end
 
+    def handle_unverified_request
+      raise(ActionController::InvalidAuthenticityToken)
+    end
+
     # Expire cached attachment files for a request
     def expire_for_request(info_request)
         # Clear out cached entries, by removing files from disk (the built in
author	Louise Crow <louise.crow@gmail.com>	2011-02-24 13:47:52 +0000
committer	Louise Crow <louise.crow@gmail.com>	2011-02-24 13:47:52 +0000
commit	3757bb52c0aa86b779b00428d7ebe35b30cea1ee (patch)
tree	b92ffbf5d9ebe218c4c0e9fcbeb7aed40d77cd8d /app/controllers/admin_controller.rb
parent	1ea1181a028564119c7a90b0095c9dfaed3a12e3 (diff)