From 305bf9161cf9631aa1a25f18b8e58f6c4dcc4ff7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Sat, 5 Sep 2020 17:51:56 +0200
Subject: [PATCH] Enable forgery protection in ActionController

We were manually adding forgery protection to all our controllers, but
in Rails 5.2 there's an option (enabled by default for new applications)
which adds this protection to all controllers.
---
 app/controllers/application_controller.rb         | 1 -
 app/controllers/management/base_controller.rb     | 1 -
 app/controllers/management/sessions_controller.rb | 1 -
 config/initializers/new_framework_defaults_5_2.rb | 2 +-
 4 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 32cdbb135..5b74ae2e7 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -7,7 +7,6 @@ class ApplicationController < ActionController::Base
   include AccessDeniedHandler
 
   default_form_builder ConsulFormBuilder
-  protect_from_forgery with: :exception
 
   before_action :authenticate_http_basic, if: :http_basic_auth_site?
 
diff --git a/app/controllers/management/base_controller.rb b/app/controllers/management/base_controller.rb
index 6a2788718..d0180b0a7 100644
--- a/app/controllers/management/base_controller.rb
+++ b/app/controllers/management/base_controller.rb
@@ -2,7 +2,6 @@ class Management::BaseController < ActionController::Base
   include GlobalizeFallbacks
   layout "management"
   default_form_builder ConsulFormBuilder
-  protect_from_forgery with: :exception
 
   before_action :verify_manager
   before_action :set_locale
diff --git a/app/controllers/management/sessions_controller.rb b/app/controllers/management/sessions_controller.rb
index d2fdfe3eb..84d9d1265 100644
--- a/app/controllers/management/sessions_controller.rb
+++ b/app/controllers/management/sessions_controller.rb
@@ -4,7 +4,6 @@ class Management::SessionsController < ActionController::Base
   include GlobalizeFallbacks
   include AccessDeniedHandler
   default_form_builder ConsulFormBuilder
-  protect_from_forgery with: :exception
 
   def create
     destroy_session
diff --git a/config/initializers/new_framework_defaults_5_2.rb b/config/initializers/new_framework_defaults_5_2.rb
index 954155cd7..a8b584561 100644
--- a/config/initializers/new_framework_defaults_5_2.rb
+++ b/config/initializers/new_framework_defaults_5_2.rb
@@ -25,7 +25,7 @@
 
 # Add default protection from forgery to ActionController::Base instead of in
 # ApplicationController.
-# Rails.application.config.action_controller.default_protect_from_forgery = true
+Rails.application.config.action_controller.default_protect_from_forgery = true
 
 # Use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header.
 # Rails.application.config.active_support.use_sha1_digests = true