Fix direct uploads to local service

Disable CSRF protection for ActiveStorage::DiskController#update. The local disk service is intended to imitate a third-party service like S3 or GCS, so we don't care where direct uploads originate: they’re authorized by signed tokens. Closes #30290. [Shinichi Maeshima & George Claghorn]
author: George Claghorn <george@basecamp.com> 2017-11-20 10:52:54 -0500
committer: George Claghorn <george@basecamp.com> 2017-11-20 10:54:46 -0500
commit: 2d20a7696a761b1840bc2fbe09a2fd4bff2a779f (patch)
tree: f3fc409d686bd97219147bb4ae14d93a0c5fdbf8 /activestorage/app
parent: 951e2715b578e75a37b4cee914b9076df920cab4 (diff)
download: rails-2d20a7696a761b1840bc2fbe09a2fd4bff2a779f.tar.gz
rails-2d20a7696a761b1840bc2fbe09a2fd4bff2a779f.tar.bz2
rails-2d20a7696a761b1840bc2fbe09a2fd4bff2a779f.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/activestorage/app/controllers/active_storage/disk_controller.rb b/activestorage/app/controllers/active_storage/disk_controller.rb
index a4fd427cb2..8caecfff49 100644
--- a/activestorage/app/controllers/active_storage/disk_controller.rb
+++ b/activestorage/app/controllers/active_storage/disk_controller.rb
@@ -5,6 +5,8 @@
 # Always go through the BlobsController, or your own authenticated controller, rather than directly
 # to the service url.
 class ActiveStorage::DiskController < ActionController::Base
+  skip_forgery_protection
+
   def show
     if key = decode_verified_key
       send_data disk_service.download(key),
author	George Claghorn <george@basecamp.com>	2017-11-20 10:52:54 -0500
committer	George Claghorn <george@basecamp.com>	2017-11-20 10:54:46 -0500
commit	2d20a7696a761b1840bc2fbe09a2fd4bff2a779f (patch)
tree	f3fc409d686bd97219147bb4ae14d93a0c5fdbf8 /activestorage/app
parent	951e2715b578e75a37b4cee914b9076df920cab4 (diff)
download	rails-2d20a7696a761b1840bc2fbe09a2fd4bff2a779f.tar.gz rails-2d20a7696a761b1840bc2fbe09a2fd4bff2a779f.tar.bz2 rails-2d20a7696a761b1840bc2fbe09a2fd4bff2a779f.zip