From d7a9adf88075caf2e723a2259b189aa136730e6e Mon Sep 17 00:00:00 2001
From: Holger Just <h.just@finn.de>
Date: Fri, 29 Jul 2011 17:23:13 +0200
Subject: [PATCH] move protect_from_forgery to the beginning of the
 before_filter chain as per the recommended rails practices

---
 app/controllers/application_controller.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 45b1261c..57d77f54 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -24,6 +24,12 @@ class ApplicationController < ActionController::Base
   layout 'base'
   exempt_from_layout 'builder', 'rsb'
 
+  protect_from_forgery
+  def handle_unverified_request
+    super
+    cookies.delete(:autologin)
+  end
+
   # Remove broken cookie after upgrade from 0.8.x (#4292)
   # See https://rails.lighthouseapp.com/projects/8994/tickets/3360
   # TODO: remove it when Rails is fixed
@@ -38,7 +44,6 @@ class ApplicationController < ActionController::Base
 
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
-  protect_from_forgery
 
   rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token