#4136 allow_forgery_protection is false even in development environment by default - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4136 ✓resolved

allow_forgery_protection is false even in development environment by default

Reported by codesnik | March 9th, 2010 @ 10:38 AM | in 3.0.2

seems that recent commit 01f0e47663bbbc593af0c36d4cf49124b200e3d8 (Move request forgery protection configuration to the AC config object) is the offender.

config.request_forgery_protection_token ||= true
in
actionpack/lib/action_controller/metal/request_forgery_protection.rb
seems to work on a different @config, not on the ApplicationController::Base one. probably executed too late to be copied/inherited properly.

I've tried to fix it, but failed. Hope this message would help.

Comments and changes to this ticket

You flagged this item as spam.
Denis Odorcic March 19th, 2010 @ 03:36 AM
- Tag changed from “rails3” to “csrf, patch, rails3, request-forgery-protection”
I've added a patch for this (and light rework to remove some duplicate code). This is also related to #4199. allow_forgery_protection is always evaluating to false, which makes <%= csrf_meta_tag %> never generate anything, causing rails.js to log errors since it couldn't find the authenticity tags.
- fix-protect-from-forgery.diff 3.7 KB
Yehuda Katz (wycats) March 27th, 2010 @ 08:37 AM
- State changed from “new” to “resolved”
- Milestone cleared.
I think this is fixed in master? Please reopen if it's not.
Rizwan Reza March 27th, 2010 @ 08:46 AM
- Milestone cleared.
- State changed from “resolved” to “new”
Just confirmed it, it's resolved in master.
Yehuda Katz (wycats) March 27th, 2010 @ 08:48 AM
- State changed from “new” to “resolved”
- Milestone cleared.
Jeremy Kemper October 15th, 2010 @ 11:01 PM
- Milestone set to “3.0.2”
- Importance changed from “” to “Low”
[bulk edit]
Ryan Bigg November 8th, 2010 @ 01:50 AM
- Tag cleared.
Automatic cleanup of spam.