Revision 73f99b5c
Added by Dominic Cleal about 10 years ago
test/functional/api/base_controller_subclass_test.rb | ||
---|---|---|
assert_equal ['error'], ActiveSupport::JSON.decode(@response.body).keys
|
||
end
|
||
end
|
||
|
||
context 'CSRF' do
|
||
setup do
|
||
ActionController::Base.allow_forgery_protection = true
|
||
SETTINGS[:login] = true
|
||
User.current = nil
|
||
request.env['HTTP_AUTHORIZATION'] = nil
|
||
end
|
||
|
||
teardown do
|
||
ActionController::Base.allow_forgery_protection = false
|
||
end
|
||
|
||
it "blocks access without CSRF token when there is a session user" do
|
||
request.headers['X-CSRF-Token'] = nil
|
||
post :index, {}, set_session_user
|
||
assert_response :unauthorized
|
||
end
|
||
|
||
it "works with a CSRF token when there is a session user" do
|
||
request.headers['X-CSRF-Token'] = 'TEST_TOKEN'
|
||
post :index, {:authenticity_token => 'TEST_TOKEN'}, set_session_user.merge(:_csrf_token => 'TEST_TOKEN')
|
||
assert_response :success
|
||
end
|
||
end
|
||
end
|
Also available in: Unified diff
fixes #4895 - Adds CSRF protection check to the API if a session user is present