github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:11:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

we can't trust CSRF for anon the way it is designed.

Browse Source 
The page they have loaded may be cached we need a different way of delivering the CSRF potentially
This commit is contained in:
Sam
2013-05-03 16:43:11 +10:00
parent 4d2c28e8b2
commit 42494b5bb1
5 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/users_controller.rb
View File

@ -8,6 +8,11 @@ class UsersController < ApplicationController
before_filter :ensure_logged_in, only: [:username, :update, :change_email, :user_preferences_redirect]
# we need to allow account creation with bad CSRF tokens, if people are caching, the CSRF token on the
# page is going to be empty, this means that server will see an invalid CSRF and blow the session
# once that happens you can't log in with social
skip_before_filter :verify_authenticity_token, only: [:create]
def show
@user = fetch_user_from_params
user_serializer = UserSerializer.new(@user, scope: guardian, root: 'user')