Only use CSRF protection for logged-in users.

author: Louise Crow <louise.crow@gmail.com> 2015-04-10 11:57:34 +0100
committer: Louise Crow <louise.crow@gmail.com> 2015-04-10 12:10:07 +0100
commit: 17882311cce273c62322959a2deb31c2dc5cbae9 (patch)
tree: 18c2a3def4e7a42e487e98d0e390aec0be9c0dd2 /app/controllers/application_controller.rb
parent: 14a7c646bd64ce0d174aba594e9591227b039070 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index dbd879a1c..044f8e10f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -14,7 +14,8 @@ class ApplicationController < ActionController::Base
     end
     class RouteNotFound < StandardError
     end
-    protect_from_forgery
+    protect_from_forgery :if => :user?
+    skip_before_filter :verify_authenticity_token, :unless => :user?
 
     # assign our own handler method for non-local exceptions
     rescue_from Exception, :with => :render_exception
@@ -247,6 +248,16 @@ class ApplicationController < ActionController::Base
 
     private
 
+    def user?
+        !session[:user_id].nil?
+    end
+
+    def form_authenticity_token
+        if user?
+            session[:_csrf_token] ||= SecureRandom.base64(32)
+        end
+    end
+
     # Check the user is logged in
     def authenticated?(reason_params)
         unless session[:user_id]
author	Louise Crow <louise.crow@gmail.com>	2015-04-10 11:57:34 +0100
committer	Louise Crow <louise.crow@gmail.com>	2015-04-10 12:10:07 +0100
commit	17882311cce273c62322959a2deb31c2dc5cbae9 (patch)
tree	18c2a3def4e7a42e487e98d0e390aec0be9c0dd2 /app/controllers/application_controller.rb
parent	14a7c646bd64ce0d174aba594e9591227b039070 (diff)