From ec4a836919c021c0a5cf9ebeebb4db5e02104a55 Mon Sep 17 00:00:00 2001
From: Lisa Ugray <lisa.ugray@shopify.com>
Date: Mon, 10 Jul 2017 11:12:45 -0400
Subject: Protect from forgery by default

Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.
---
 railties/lib/rails/application/configuration.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'railties/lib/rails/application/configuration.rb')

diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 7e1359c42b..d403c4fa7c 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -96,6 +96,10 @@ module Rails
             active_support.use_authenticated_message_encryption = true
           end
 
+          if respond_to?(:action_controller)
+            action_controller.default_protect_from_forgery = true
+          end
+
         else
           raise "Unknown version #{target_version.to_s.inspect}"
         end
-- 
cgit v1.2.3