Merge pull request #8381 from SuperTux88/fix-forgery-protection-for-federation

Bump diaspora_federation and enable forgery protection by default again
2022-07-24 01:30:41 +02:00 · 2022-07-24 01:30:41 +02:00 · 429a47d64d
commit 429a47d64d
parent a88a25a5eb 9b6a2268e9
4 changed files with 12 additions and 18 deletions
--- a/6
+++ b/6
@ -15,8 +15,8 @@ gem "unicorn-worker-killer", "0.4.5"

 # Federation

-gem "diaspora_federation-json_schema", "1.0.0"
-gem "diaspora_federation-rails", "1.0.0"
+gem "diaspora_federation-json_schema", "1.0.1"
+gem "diaspora_federation-rails",       "1.0.1"

 # API and JSON

@ -245,7 +245,7 @@ group :test do
  gem "timecop",           "0.9.5"
  gem "webmock",           "3.14.0", require: false

-  gem "diaspora_federation-test", "1.0.0"
+  gem "diaspora_federation-test", "1.0.1"
 end

 group :development, :test do
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -209,18 +209,18 @@ GEM
    devise_lastseenable (0.0.6)
      devise
      rails (>= 3.0.4)
-    diaspora_federation (1.0.0)
+    diaspora_federation (1.0.1)
      faraday (>= 1.0, < 3)
      faraday-follow_redirects (~> 0.3)
      nokogiri (~> 1.6, >= 1.6.8)
      typhoeus (~> 1.0)
      valid (~> 1.0)
-    diaspora_federation-json_schema (1.0.0)
-    diaspora_federation-rails (1.0.0)
+    diaspora_federation-json_schema (1.0.1)
+    diaspora_federation-rails (1.0.1)
      actionpack (>= 5.2, < 8)
-      diaspora_federation (= 1.0.0)
-    diaspora_federation-test (1.0.0)
-      diaspora_federation (= 1.0.0)
+      diaspora_federation (= 1.0.1)
+    diaspora_federation-test (1.0.1)
+      diaspora_federation (= 1.0.1)
      fabrication (~> 2.29)
      uuid (~> 2.3, >= 2.3.8)
    diff-lcs (1.5.0)
@ -800,9 +800,9 @@ DEPENDENCIES
  devise (= 4.8.1)
  devise-two-factor (= 4.0.2)
  devise_lastseenable (= 0.0.6)
-  diaspora_federation-json_schema (= 1.0.0)
-  diaspora_federation-rails (= 1.0.0)
-  diaspora_federation-test (= 1.0.0)
+  diaspora_federation-json_schema (= 1.0.1)
+  diaspora_federation-rails (= 1.0.1)
+  diaspora_federation-test (= 1.0.1)
  eye (= 0.10.0)
  factory_bot_rails (= 6.2.0)
  faraday (= 1.10.0)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -7,7 +7,6 @@
 class ApplicationController < ActionController::Base
  before_action :force_tablet_html
  has_mobile_fu
-  protect_from_forgery except: :receive, with: :exception, prepend: true

  rescue_from ActionController::InvalidAuthenticityToken do
    if user_signed_in?
--- a/config/application.rb
+++ b/config/application.rb
@ -39,11 +39,6 @@ module Diaspora
    # Enable escaping HTML in JSON.
    config.active_support.escape_html_entities_in_json = true

-    # We specify CSRF protection manually in ApplicationController with
-    # protect_from_forgery - having it enabled anywhere by default breaks
-    # federation.
-    config.action_controller.default_protect_from_forgery = false
-
    # Enable the asset pipeline
    config.assets.enabled = true