github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 06:14:12 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Skip CSRF token check on webhook routes (#16982)

Browse Source 
The `WebhookController` inherits directly from `ActionController::Base`. Since Rails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633bdedfe497ec3e2fe5d03e17940d6f16, it took effect on this controller and broke integrations.

This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.
This commit is contained in:
Wolftallemo
2022-06-13 10:36:45 -04:00
committed by GitHub
parent 77632d2d36
commit be556ef17b
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
spec/requests/webhooks_controller_spec.rb
View File

@ -15,6 +15,11 @@ describe WebhooksController do
before do
SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493"
ActionController::Base.allow_forgery_protection = true # Ensure the endpoint works, even with CSRF protection generally enabled
end
after do
ActionController::Base.allow_forgery_protection = false
end
it "works (deprecated)" do