forked from fedi/mastodon
Spec response for forgery (#3248)
Remove protect_from_forgery in ApiController, which is disabled by the following skip_before_action, as well.
This commit is contained in:
parent
e98559c3ff
commit
10768aa204
|
@ -4,8 +4,6 @@ class ApiController < ApplicationController
|
|||
DEFAULT_STATUSES_LIMIT = 20
|
||||
DEFAULT_ACCOUNTS_LIMIT = 40
|
||||
|
||||
protect_from_forgery with: :null_session
|
||||
|
||||
skip_before_action :verify_authenticity_token
|
||||
skip_before_action :store_current_location
|
||||
|
||||
|
|
18
spec/controllers/api_controller_spec.rb
Normal file
18
spec/controllers/api_controller_spec.rb
Normal file
|
@ -0,0 +1,18 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'rails_helper'
|
||||
|
||||
describe ApiController, type: :controller do
|
||||
controller do
|
||||
def success
|
||||
head 200
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not protect from forgery' do
|
||||
ActionController::Base.allow_forgery_protection = true
|
||||
routes.draw { post 'success' => 'api#success' }
|
||||
post 'success'
|
||||
expect(response).to have_http_status(:success)
|
||||
end
|
||||
end
|
|
@ -37,6 +37,16 @@ describe ApplicationController, type: :controller do
|
|||
end
|
||||
end
|
||||
|
||||
context 'forgery' do
|
||||
subject do
|
||||
ActionController::Base.allow_forgery_protection = true
|
||||
routes.draw { post 'success' => 'anonymous#success' }
|
||||
post 'success'
|
||||
end
|
||||
|
||||
include_examples 'respond_with_error', 422
|
||||
end
|
||||
|
||||
it "does not force ssl if LOCAL_HTTPS is not 'true'" do
|
||||
routes.draw { get 'success' => 'anonymous#success' }
|
||||
ClimateControl.modify LOCAL_HTTPS: '' do
|
||||
|
|
Loading…
Reference in a new issue