From 4cc2cf2a6d935adfd263ea4fd7791a6d84f704da Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Mon, 28 Feb 2011 13:21:32 +0000 Subject: Add CSRF protection on state changing actions. Use default handler handle_unverified_request which clears session. --- app/controllers/admin_controller.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'app/controllers/admin_controller.rb') diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 76b4f66e7..004d460c5 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -13,15 +13,16 @@ class AdminController < ApplicationController before_filter :assign_http_auth_user protect_from_forgery # See ActionController::RequestForgeryProtection for details + # action to take if expecting an authenticity token and one isn't received + def handle_unverified_request + raise(ActionController::InvalidAuthenticityToken) + end + # Always give full stack trace for admin interface def local_request? true end - def handle_unverified_request - raise(ActionController::InvalidAuthenticityToken) - end - # Expire cached attachment files for a request def expire_for_request(info_request) # Clear out cached entries, by removing files from disk (the built in -- cgit v1.2.3