1
0
Fork 0
forked from fedi/mastodon

Spec response for forgery (#3248)

Remove protect_from_forgery in ApiController, which is disabled by the
following skip_before_action, as well.
This commit is contained in:
Akihiko Odaki (@fn_aki@pawoo.net) 2017-06-02 03:56:55 +09:00 committed by Eugen Rochko
parent e98559c3ff
commit 10768aa204
3 changed files with 28 additions and 2 deletions

View file

@ -4,8 +4,6 @@ class ApiController < ApplicationController
DEFAULT_STATUSES_LIMIT = 20 DEFAULT_STATUSES_LIMIT = 20
DEFAULT_ACCOUNTS_LIMIT = 40 DEFAULT_ACCOUNTS_LIMIT = 40
protect_from_forgery with: :null_session
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
skip_before_action :store_current_location skip_before_action :store_current_location

View file

@ -0,0 +1,18 @@
# frozen_string_literal: true
require 'rails_helper'
describe ApiController, type: :controller do
controller do
def success
head 200
end
end
it 'does not protect from forgery' do
ActionController::Base.allow_forgery_protection = true
routes.draw { post 'success' => 'api#success' }
post 'success'
expect(response).to have_http_status(:success)
end
end

View file

@ -37,6 +37,16 @@ describe ApplicationController, type: :controller do
end end
end end
context 'forgery' do
subject do
ActionController::Base.allow_forgery_protection = true
routes.draw { post 'success' => 'anonymous#success' }
post 'success'
end
include_examples 'respond_with_error', 422
end
it "does not force ssl if LOCAL_HTTPS is not 'true'" do it "does not force ssl if LOCAL_HTTPS is not 'true'" do
routes.draw { get 'success' => 'anonymous#success' } routes.draw { get 'success' => 'anonymous#success' }
ClimateControl.modify LOCAL_HTTPS: '' do ClimateControl.modify LOCAL_HTTPS: '' do