From 2d20a7696a761b1840bc2fbe09a2fd4bff2a779f Mon Sep 17 00:00:00 2001
From: George Claghorn <george@basecamp.com>
Date: Mon, 20 Nov 2017 10:52:54 -0500
Subject: Fix direct uploads to local service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Disable CSRF protection for ActiveStorage::DiskController#update. The local disk service is intended to imitate a third-party service like S3 or GCS, so we don't care where direct uploads originate: they’re authorized by signed tokens.

Closes #30290.

[Shinichi Maeshima & George Claghorn]
---
 activestorage/app/controllers/active_storage/disk_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'activestorage/app')

diff --git a/activestorage/app/controllers/active_storage/disk_controller.rb b/activestorage/app/controllers/active_storage/disk_controller.rb
index a4fd427cb2..8caecfff49 100644
--- a/activestorage/app/controllers/active_storage/disk_controller.rb
+++ b/activestorage/app/controllers/active_storage/disk_controller.rb
@@ -5,6 +5,8 @@
 # Always go through the BlobsController, or your own authenticated controller, rather than directly
 # to the service url.
 class ActiveStorage::DiskController < ActionController::Base
+  skip_forgery_protection
+
   def show
     if key = decode_verified_key
       send_data disk_service.download(key),
-- 
cgit v1.2.3