Revision 73f99b5c
Added by Dominic Cleal about 10 years ago
| test/functional/api/base_controller_subclass_test.rb | ||
|---|---|---|
|
assert_equal ['error'], ActiveSupport::JSON.decode(@response.body).keys
|
||
|
end
|
||
|
end
|
||
|
|
||
|
context 'CSRF' do
|
||
|
setup do
|
||
|
ActionController::Base.allow_forgery_protection = true
|
||
|
SETTINGS[:login] = true
|
||
|
User.current = nil
|
||
|
request.env['HTTP_AUTHORIZATION'] = nil
|
||
|
end
|
||
|
|
||
|
teardown do
|
||
|
ActionController::Base.allow_forgery_protection = false
|
||
|
end
|
||
|
|
||
|
it "blocks access without CSRF token when there is a session user" do
|
||
|
request.headers['X-CSRF-Token'] = nil
|
||
|
post :index, {}, set_session_user
|
||
|
assert_response :unauthorized
|
||
|
end
|
||
|
|
||
|
it "works with a CSRF token when there is a session user" do
|
||
|
request.headers['X-CSRF-Token'] = 'TEST_TOKEN'
|
||
|
post :index, {:authenticity_token => 'TEST_TOKEN'}, set_session_user.merge(:_csrf_token => 'TEST_TOKEN')
|
||
|
assert_response :success
|
||
|
end
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
fixes #4895 - Adds CSRF protection check to the API if a session user is present