move protect_from_forgery to the beginning of the before_filter chain as per the recommended rails practices

2011-07-29 17:23:13 +02:00 · 2011-07-29 17:23:13 +02:00 · d7a9adf880
parent 531653596d
commit d7a9adf880
1 changed files with 6 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -24,6 +24,12 @@ class ApplicationController < ActionController::Base
  layout 'base'
  exempt_from_layout 'builder', 'rsb'

+  protect_from_forgery
+  def handle_unverified_request
+    super
+    cookies.delete(:autologin)
+  end
+
  # Remove broken cookie after upgrade from 0.8.x (#4292)
  # See https://rails.lighthouseapp.com/projects/8994/tickets/3360
  # TODO: remove it when Rails is fixed
@ -38,7 +44,6 @@ class ApplicationController < ActionController::Base

  before_filter :user_setup, :check_if_login_required, :set_localization
  filter_parameter_logging :password
-  protect_from_forgery

  rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token