From 8a8678c97b5ac0793c1f9460ddf421f9e1efdd31 Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Sat, 23 Jul 2022 01:57:12 +0200
Subject: [PATCH] Disable forgery protection for ReceiveController

This is enabled by default since rails 5.2, but it doesn't make sense
for the /receive/ routes, because they are called without a session and
without a token.
---
 app/controllers/diaspora_federation/receive_controller.rb | 2 ++
 spec/spec_helper.rb                                       | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/controllers/diaspora_federation/receive_controller.rb b/app/controllers/diaspora_federation/receive_controller.rb
index a9568b5..b0fd2a0 100644
--- a/app/controllers/diaspora_federation/receive_controller.rb
+++ b/app/controllers/diaspora_federation/receive_controller.rb
@@ -5,6 +5,8 @@ require_dependency "diaspora_federation/application_controller"
 module DiasporaFederation
   # This controller processes receiving messages.
   class ReceiveController < ApplicationController
+    skip_forgery_protection
+
     # Receives public messages
     #
     # POST /receive/public
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index a2d03f2..be04393 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -50,7 +50,11 @@ RSpec.configure do |config|
     expect_config.syntax = :expect
   end
 
-  unless defined?(::Rails)
+  if defined?(::Rails)
+    config.before(:each, type: :controller) do
+      ActionController::Base.allow_forgery_protection = true
+    end
+  else
     config.exclude_pattern = "**/controllers/**/*_spec.rb, **/routing/**/*_spec.rb"
     config.filter_run_excluding rails: true
   end