From ec4a836919c021c0a5cf9ebeebb4db5e02104a55 Mon Sep 17 00:00:00 2001
From: Lisa Ugray <lisa.ugray@shopify.com>
Date: Mon, 10 Jul 2017 11:12:45 -0400
Subject: Protect from forgery by default

Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.
---
 actionpack/lib/action_controller/metal/request_forgery_protection.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 4468cbb2fc..117dee2219 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -85,6 +85,10 @@ module ActionController #:nodoc:
       config_accessor :per_form_csrf_tokens
       self.per_form_csrf_tokens = false
 
+      # Controls whether forgery protection is enabled by default.
+      config_accessor :default_protect_from_forgery
+      self.default_protect_from_forgery = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
-- 
cgit v1.2.3