From 428c97d089a576e9221c6e3b1ebab76adfb3d088 Mon Sep 17 00:00:00 2001
From: Dennis Schubert <mail@dennis-schubert.de>
Date: Thu, 21 Jul 2022 05:24:13 +0200
Subject: [PATCH] Disable the default CSRF protection.

This was added in Rails 5.2 defaults, but we upgraded from 5.1 defaults to 6.1, so we didn't notice until now.

closes #8374
---
 config/application.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/application.rb b/config/application.rb
index 7594255f8..9b1c1050b 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -39,6 +39,11 @@ module Diaspora
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
+    # We specify CSRF protection manually in ApplicationController with
+    # protect_from_forgery - having it enabled anywhere by default breaks
+    # federation.
+    config.action_controller.default_protect_from_forgery = false
+
     # Enable the asset pipeline
     config.assets.enabled = true