Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip forgery protection in api controllers #2800

Merged
merged 3 commits into from
Oct 17, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions api/app/controllers/spree/api/base_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ module Api
class BaseController < ActionController::Base
self.responder = Spree::Api::Responders::AppResponder
respond_to :json
protect_from_forgery unless: -> { request.format.json? }

include CanCan::ControllerAdditions
include Spree::Core::ControllerHelpers::Store
Expand Down
4 changes: 2 additions & 2 deletions backend/spec/features/admin/orders/payments_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
end

# Regression tests for https://github.com/spree/spree/issues/1453
context 'with a check payment' do
context 'with a check payment', js: true do
let(:order) { create(:completed_order_with_totals, number: 'R100') }
let!(:payment) do
create(:payment,
Expand Down Expand Up @@ -205,7 +205,7 @@
visit spree.admin_order_payments_path(order.reload)
end

it "can successfully be created and captured" do
it "can successfully be created and captured", js: true do
click_on 'Update'
expect(page).to have_content("Payment has been successfully created!")
click_icon(:capture)
Expand Down
3 changes: 0 additions & 3 deletions core/lib/generators/spree/dummy/templates/rails/test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,6 @@
# Raise exceptions instead of rendering exception templates
config.action_dispatch.show_exceptions = false

# Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false

# Tell Action Mailer not to deliver emails to the real world.
# The :test delivery method accumulates sent emails in the
# ActionMailer::Base.deliveries array.
Expand Down
15 changes: 13 additions & 2 deletions core/lib/spree/testing_support/dummy_app.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,16 @@

require 'solidus_core'

# @private
def forgery_protected_by_default?
Gem::Version.new(Rails.version) >= Gem::Version.new('5.2')
kennyadsl marked this conversation as resolved.
Show resolved Hide resolved
end

# @private
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
if !forgery_protected_by_default?
protect_from_forgery with: :exception
end
end

# @private
Expand Down Expand Up @@ -50,14 +57,18 @@ class Application < ::Rails::Application
config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
config.whiny_nils = true
config.consider_all_requests_local = true
config.action_controller.allow_forgery_protection = true
config.action_controller.perform_caching = false
config.action_dispatch.show_exceptions = false
config.active_support.deprecation = :stderr
config.action_mailer.delivery_method = :test
config.action_controller.allow_forgery_protection = false
config.active_support.deprecation = :stderr
config.secret_key_base = 'SECRET_TOKEN'

if forgery_protected_by_default?
config.action_controller.default_protect_from_forgery = true
end

if config.active_record.sqlite3
# Rails >= 5.2
config.active_record.sqlite3.represent_boolean_as_integer = true
Expand Down