Fixed that non-GET API requests respond with 422 (#15427).
git-svn-id: http://svn.redmine.org/redmine/trunk@12311 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
parent
bba304ef39
commit
5c0078c63a
@ -33,13 +33,19 @@ class ApplicationController < ActionController::Base
|
|||||||
layout 'base'
|
layout 'base'
|
||||||
|
|
||||||
protect_from_forgery
|
protect_from_forgery
|
||||||
def handle_unverified_request
|
|
||||||
super
|
def verify_authenticity_token
|
||||||
cookies.delete(autologin_cookie_name)
|
unless api_request?
|
||||||
if api_request?
|
super
|
||||||
logger.error "API calls must include a proper Content-type header (application/xml or application/json)."
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def handle_unverified_request
|
||||||
|
unless api_request?
|
||||||
|
super
|
||||||
|
cookies.delete(autologin_cookie_name)
|
||||||
|
render_error :status => 422, :message => "Invalid form authenticity token."
|
||||||
end
|
end
|
||||||
render_error :status => 422, :message => "Invalid form authenticity token."
|
|
||||||
end
|
end
|
||||||
|
|
||||||
before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
|
before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
|
||||||
|
|||||||
41
test/integration/api_test/api_test.rb
Normal file
41
test/integration/api_test/api_test.rb
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
# Redmine - project management software
|
||||||
|
# Copyright (C) 2006-2013 Jean-Philippe Lang
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License
|
||||||
|
# as published by the Free Software Foundation; either version 2
|
||||||
|
# of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
|
||||||
|
require File.expand_path('../../../test_helper', __FILE__)
|
||||||
|
|
||||||
|
class Redmine::ApiTest::ApiTest < Redmine::ApiTest::Base
|
||||||
|
fixtures :users
|
||||||
|
|
||||||
|
def setup
|
||||||
|
Setting.rest_api_enabled = '1'
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_api_should_work_with_protect_from_forgery
|
||||||
|
ActionController::Base.allow_forgery_protection = true
|
||||||
|
assert_difference('User.count') do
|
||||||
|
post '/users.xml', {
|
||||||
|
:user => {
|
||||||
|
:login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
|
||||||
|
:mail => 'foo@example.net', :password => 'secret123'}
|
||||||
|
},
|
||||||
|
credentials('admin')
|
||||||
|
assert_response 201
|
||||||
|
end
|
||||||
|
ensure
|
||||||
|
ActionController::Base.allow_forgery_protection = false
|
||||||
|
end
|
||||||
|
end
|
||||||
Loading…
x
Reference in New Issue
Block a user