aboutsummaryrefslogtreecommitdiffstats
path: root/railties/lib/rails
diff options
context:
space:
mode:
authorLisa Ugray <lisa.ugray@shopify.com>2017-07-10 11:12:45 -0400
committerLisa Ugray <lisa.ugray@shopify.com>2017-07-10 16:23:47 -0400
commitec4a836919c021c0a5cf9ebeebb4db5e02104a55 (patch)
treeae03e9e4fdff6d55fec6477e4a50c5f9750c9bd7 /railties/lib/rails
parentb6300f3ecc79bff29cf9bb804a30fd92403feac1 (diff)
downloadrails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.gz
rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.bz2
rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.zip
Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.
Diffstat (limited to 'railties/lib/rails')
-rw-r--r--railties/lib/rails/application/configuration.rb4
-rw-r--r--railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt3
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt4
3 files changed, 8 insertions, 3 deletions
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 7e1359c42b..d403c4fa7c 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -96,6 +96,10 @@ module Rails
active_support.use_authenticated_message_encryption = true
end
+ if respond_to?(:action_controller)
+ action_controller.default_protect_from_forgery = true
+ end
+
else
raise "Unknown version #{target_version.to_s.inspect}"
end
diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
index 413354186d..185c0017f1 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt
@@ -1,5 +1,2 @@
class ApplicationController < ActionController::<%= options[:api] ? "API" : "Base" %>
-<%- unless options[:api] -%>
- protect_from_forgery with: :exception
-<%- end -%>
end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt
index 3809936f9f..e8f5f964ed 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt
@@ -17,3 +17,7 @@
# Use AES-256-GCM authenticated encryption as default cipher for encrypting messages
# instead of AES-256-CBC, when use_authenticated_message_encryption is set to true.
# Rails.application.config.active_support.use_authenticated_message_encryption = true
+
+# Add default protection from forgery to ActionController::Base instead of in
+# ApplicationController.
+# Rails.applocation.config.action_controller.default_protect_from_forgery = true
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-08 01:34:33 +0000