From 537d2939b10df9121e5a9f13a9d66c568ff681bf Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Mon, 15 Jan 2018 06:51:23 +0100 Subject: [PATCH] Suppress CSRF token warnings (#6240) CSRF token checking was enabled for API controllers in #6223, producing "Can't verify CSRF token authenticity" log spam. This disables logging of failed CSRF checks. This also changes the protection strategy for PushSubscriptionsController to use exceptions, making it consistent with other controllers that use sessions. --- app/controllers/api/web/push_subscriptions_controller.rb | 1 + config/initializers/suppress_csrf_warnings.rb | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 config/initializers/suppress_csrf_warnings.rb diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb index 52e250d02d..68ccbd5e20 100644 --- a/app/controllers/api/web/push_subscriptions_controller.rb +++ b/app/controllers/api/web/push_subscriptions_controller.rb @@ -4,6 +4,7 @@ class Api::Web::PushSubscriptionsController < Api::BaseController respond_to :json before_action :require_user! + protect_from_forgery with: :exception def create params.require(:subscription).require(:endpoint) diff --git a/config/initializers/suppress_csrf_warnings.rb b/config/initializers/suppress_csrf_warnings.rb new file mode 100644 index 0000000000..410ab585b4 --- /dev/null +++ b/config/initializers/suppress_csrf_warnings.rb @@ -0,0 +1,3 @@ +# frozen_string_literal: true + +ActionController::Base.log_warning_on_csrf_failure = false