Remove protect_from_forgery in ApiController, which is disabled by the
following skip_before_action, as well.
DEFAULT_STATUSES_LIMIT = 20
DEFAULT_ACCOUNTS_LIMIT = 40
- protect_from_forgery with: :null_session
-
skip_before_action :verify_authenticity_token
skip_before_action :store_current_location
--- /dev/null
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ApiController, type: :controller do
+ controller do
+ def success
+ head 200
+ end
+ end
+
+ it 'does not protect from forgery' do
+ ActionController::Base.allow_forgery_protection = true
+ routes.draw { post 'success' => 'api#success' }
+ post 'success'
+ expect(response).to have_http_status(:success)
+ end
+end
end
end
+ context 'forgery' do
+ subject do
+ ActionController::Base.allow_forgery_protection = true
+ routes.draw { post 'success' => 'anonymous#success' }
+ post 'success'
+ end
+
+ include_examples 'respond_with_error', 422
+ end
+
it "does not force ssl if LOCAL_HTTPS is not 'true'" do
routes.draw { get 'success' => 'anonymous#success' }
ClimateControl.modify LOCAL_HTTPS: '' do
cat aescling's git repositories / mastodon.git / commitdiff