From 4cc2cf2a6d935adfd263ea4fd7791a6d84f704da Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Mon, 28 Feb 2011 13:21:32 +0000
Subject: Add CSRF protection on state changing actions. Use default handler
 handle_unverified_request which clears session.

---
 app/controllers/admin_controller.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'app/controllers/admin_controller.rb')

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 76b4f66e7..004d460c5 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -13,15 +13,16 @@ class AdminController < ApplicationController
     before_filter :assign_http_auth_user
     protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
+    # action to take if expecting an authenticity token and one isn't received
+    def handle_unverified_request
+        raise(ActionController::InvalidAuthenticityToken)
+    end
+
     # Always give full stack trace for admin interface
     def local_request?
         true
     end
 
-    def handle_unverified_request
-      raise(ActionController::InvalidAuthenticityToken)
-    end
-
     # Expire cached attachment files for a request
     def expire_for_request(info_request)
         # Clear out cached entries, by removing files from disk (the built in
-- 
cgit v1.2.3