From 67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b Mon Sep 17 00:00:00 2001
From: "John Barton (joho)" <jrbarton@gmail.com>
Date: Wed, 5 Mar 2014 11:24:51 +1100
Subject: Make CSRF failure logging optional/configurable.

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.
---
 .../lib/action_controller/metal/request_forgery_protection.rb     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index c88074d4c6..e3b1f5ae7c 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -68,6 +68,10 @@ module ActionController #:nodoc:
       config_accessor :allow_forgery_protection
       self.allow_forgery_protection = true if allow_forgery_protection.nil?
 
+      # Controls whether a CSRF failure logs a warning. On by default.
+      config_accessor :log_warning_on_csrf_failure
+      self.log_warning_on_csrf_failure = true
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -193,7 +197,9 @@ module ActionController #:nodoc:
         mark_for_same_origin_verification!
 
         if !verified_request?
-          logger.warn "Can't verify CSRF token authenticity" if logger
+          if logger && log_warning_on_csrf_failure
+            logger.warn "Can't verify CSRF token authenticity"
+          end
           handle_unverified_request
         end
       end
-- 
cgit v1.2.3