FIX: Skip CSRF token check on webhook routes (#16982)
The `WebhookController` inherits directly from `ActionController::Base`. Since Rails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633b
, it took effect on this controller and broke integrations.
This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.
This commit is contained in:
parent
77632d2d36
commit
be556ef17b
|
@ -3,6 +3,7 @@
|
||||||
require "openssl"
|
require "openssl"
|
||||||
|
|
||||||
class WebhooksController < ActionController::Base
|
class WebhooksController < ActionController::Base
|
||||||
|
skip_before_action :verify_authenticity_token
|
||||||
|
|
||||||
def mailgun
|
def mailgun
|
||||||
return mailgun_failure if SiteSetting.mailgun_api_key.blank?
|
return mailgun_failure if SiteSetting.mailgun_api_key.blank?
|
||||||
|
|
|
@ -15,6 +15,11 @@ describe WebhooksController do
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493"
|
SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493"
|
||||||
|
ActionController::Base.allow_forgery_protection = true # Ensure the endpoint works, even with CSRF protection generally enabled
|
||||||
|
end
|
||||||
|
|
||||||
|
after do
|
||||||
|
ActionController::Base.allow_forgery_protection = false
|
||||||
end
|
end
|
||||||
|
|
||||||
it "works (deprecated)" do
|
it "works (deprecated)" do
|
||||||
|
|
Loading…
Reference in New Issue