forked from cybrespace/mastodon
Spec response for forgery (#3248)
Remove protect_from_forgery in ApiController, which is disabled by the following skip_before_action, as well.
This commit is contained in:
parent
e98559c3ff
commit
10768aa204
|
@ -4,8 +4,6 @@ class ApiController < ApplicationController
|
||||||
DEFAULT_STATUSES_LIMIT = 20
|
DEFAULT_STATUSES_LIMIT = 20
|
||||||
DEFAULT_ACCOUNTS_LIMIT = 40
|
DEFAULT_ACCOUNTS_LIMIT = 40
|
||||||
|
|
||||||
protect_from_forgery with: :null_session
|
|
||||||
|
|
||||||
skip_before_action :verify_authenticity_token
|
skip_before_action :verify_authenticity_token
|
||||||
skip_before_action :store_current_location
|
skip_before_action :store_current_location
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
describe ApiController, type: :controller do
|
||||||
|
controller do
|
||||||
|
def success
|
||||||
|
head 200
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not protect from forgery' do
|
||||||
|
ActionController::Base.allow_forgery_protection = true
|
||||||
|
routes.draw { post 'success' => 'api#success' }
|
||||||
|
post 'success'
|
||||||
|
expect(response).to have_http_status(:success)
|
||||||
|
end
|
||||||
|
end
|
|
@ -37,6 +37,16 @@ describe ApplicationController, type: :controller do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'forgery' do
|
||||||
|
subject do
|
||||||
|
ActionController::Base.allow_forgery_protection = true
|
||||||
|
routes.draw { post 'success' => 'anonymous#success' }
|
||||||
|
post 'success'
|
||||||
|
end
|
||||||
|
|
||||||
|
include_examples 'respond_with_error', 422
|
||||||
|
end
|
||||||
|
|
||||||
it "does not force ssl if LOCAL_HTTPS is not 'true'" do
|
it "does not force ssl if LOCAL_HTTPS is not 'true'" do
|
||||||
routes.draw { get 'success' => 'anonymous#success' }
|
routes.draw { get 'success' => 'anonymous#success' }
|
||||||
ClimateControl.modify LOCAL_HTTPS: '' do
|
ClimateControl.modify LOCAL_HTTPS: '' do
|
||||||
|
|
Loading…
Reference in New Issue