From 3757bb52c0aa86b779b00428d7ebe35b30cea1ee Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Thu, 24 Feb 2011 13:47:52 +0000
Subject: Adding CSRF protection for admin forms.

---
 app/controllers/admin_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'app/controllers/admin_controller.rb')

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 4734146a8..76b4f66e7 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -11,12 +11,17 @@ require 'fileutils'
 class AdminController < ApplicationController
     layout "admin"
     before_filter :assign_http_auth_user
+    protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
     # Always give full stack trace for admin interface
     def local_request?
         true
     end
 
+    def handle_unverified_request
+      raise(ActionController::InvalidAuthenticityToken)
+    end
+
     # Expire cached attachment files for a request
     def expire_for_request(info_request)
         # Clear out cached entries, by removing files from disk (the built in
-- 
cgit v1.2.3