Revision 73f99b5c
Added by Dominic Cleal about 10 years ago
app/controllers/api/base_controller.rb | ||
---|---|---|
include Foreman::Controller::Session
|
||
include Foreman::ThreadSession::Cleaner
|
||
|
||
protect_from_forgery
|
||
skip_before_filter :verify_authenticity_token, :unless => :protect_api_from_forgery?
|
||
|
||
before_filter :set_default_response_format, :authorize, :add_version_header, :set_gettext_locale
|
||
before_filter :session_expiry, :update_activity_time
|
||
|
||
... | ... | |
raise ::Foreman::Exception.new(N_("unknown permission for %s"), "#{params[:controller]}##{params[:action]}")
|
||
end
|
||
end
|
||
|
||
def protect_api_from_forgery?
|
||
session[:user].present?
|
||
end
|
||
end
|
||
end
|
Also available in: Unified diff
fixes #4895 - Adds CSRF protection check to the API if a session user is present