Add CSRF protection on state changing actions. Use default handler handle_unverified_request which clears session.

author: Louise Crow <louise.crow@gmail.com> 2011-02-28 13:21:32 +0000
committer: Louise Crow <louise.crow@gmail.com> 2011-02-28 13:21:32 +0000
commit: 4cc2cf2a6d935adfd263ea4fd7791a6d84f704da (patch)
tree: 9733899634a7d71c625c40ae8ae60a559f4d7767 /app/controllers/admin_controller.rb
parent: fe8e25164126b2c792b5b6a59c72b31b26bce64d (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 76b4f66e7..004d460c5 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -13,15 +13,16 @@ class AdminController < ApplicationController
     before_filter :assign_http_auth_user
     protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
+    # action to take if expecting an authenticity token and one isn't received
+    def handle_unverified_request
+        raise(ActionController::InvalidAuthenticityToken)
+    end
+
     # Always give full stack trace for admin interface
     def local_request?
         true
     end
 
-    def handle_unverified_request
-      raise(ActionController::InvalidAuthenticityToken)
-    end
-
     # Expire cached attachment files for a request
     def expire_for_request(info_request)
         # Clear out cached entries, by removing files from disk (the built in
author	Louise Crow <louise.crow@gmail.com>	2011-02-28 13:21:32 +0000
committer	Louise Crow <louise.crow@gmail.com>	2011-02-28 13:21:32 +0000
commit	4cc2cf2a6d935adfd263ea4fd7791a6d84f704da (patch)
tree	9733899634a7d71c625c40ae8ae60a559f4d7767 /app/controllers/admin_controller.rb
parent	fe8e25164126b2c792b5b6a59c72b31b26bce64d (diff)