diff options
author | Lisa Ugray <lisa.ugray@shopify.com> | 2017-07-10 11:12:45 -0400 |
---|---|---|
committer | Lisa Ugray <lisa.ugray@shopify.com> | 2017-07-10 16:23:47 -0400 |
commit | ec4a836919c021c0a5cf9ebeebb4db5e02104a55 (patch) | |
tree | ae03e9e4fdff6d55fec6477e4a50c5f9750c9bd7 /railties | |
parent | b6300f3ecc79bff29cf9bb804a30fd92403feac1 (diff) | |
download | rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.gz rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.bz2 rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.zip |
Protect from forgery by default
Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.
Diffstat (limited to 'railties')
5 files changed, 16 insertions, 4 deletions
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index 7e1359c42b..d403c4fa7c 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -96,6 +96,10 @@ module Rails active_support.use_authenticated_message_encryption = true end + if respond_to?(:action_controller) + action_controller.default_protect_from_forgery = true + end + else raise "Unknown version #{target_version.to_s.inspect}" end diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt index 413354186d..185c0017f1 100644 --- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb.tt @@ -1,5 +1,2 @@ class ApplicationController < ActionController::<%= options[:api] ? "API" : "Base" %> -<%- unless options[:api] -%> - protect_from_forgery with: :exception -<%- end -%> end diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt index 3809936f9f..e8f5f964ed 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt @@ -17,3 +17,7 @@ # Use AES-256-GCM authenticated encryption as default cipher for encrypting messages # instead of AES-256-CBC, when use_authenticated_message_encryption is set to true. # Rails.application.config.active_support.use_authenticated_message_encryption = true + +# Add default protection from forgery to ActionController::Base instead of in +# ApplicationController. +# Rails.applocation.config.action_controller.default_protect_from_forgery = true diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 983ea5c3e6..6c0c087331 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -1209,6 +1209,13 @@ module ApplicationTests assert_equal false, ActionController::Parameters.action_on_unpermitted_parameters end + test "config.action_controller.default_protect_from_forgery is true by default" do + app "development" + + assert_equal true, ActionController::Base.default_protect_from_forgery + assert_includes ActionController::Base.__callbacks[:process_action].map(&:filter), :verify_authenticity_token + end + test "config.action_controller.permit_all_parameters can be configured in an initializer" do app_file "config/initializers/permit_all_parameters.rb", <<-RUBY Rails.application.config.action_controller.permit_all_parameters = true diff --git a/railties/test/application/rake_test.rb b/railties/test/application/rake_test.rb index 5ae6ea925f..134106812d 100644 --- a/railties/test/application/rake_test.rb +++ b/railties/test/application/rake_test.rb @@ -117,7 +117,7 @@ module ApplicationTests end def test_code_statistics_sanity - assert_match "Code LOC: 26 Test LOC: 0 Code to Test Ratio: 1:0.0", + assert_match "Code LOC: 25 Test LOC: 0 Code to Test Ratio: 1:0.0", Dir.chdir(app_path) { `bin/rails stats` } end |