| @@ -0,0 +1,41 | |||||
|
|
1 | # Redmine - project management software | |||
|
|
2 | # Copyright (C) 2006-2013 Jean-Philippe Lang | |||
|
|
3 | # | |||
|
|
4 | # This program is free software; you can redistribute it and/or | |||
|
|
5 | # modify it under the terms of the GNU General Public License | |||
|
|
6 | # as published by the Free Software Foundation; either version 2 | |||
|
|
7 | # of the License, or (at your option) any later version. | |||
|
|
8 | # | |||
|
|
9 | # This program is distributed in the hope that it will be useful, | |||
|
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
|
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
|
|
12 | # GNU General Public License for more details. | |||
|
|
13 | # | |||
|
|
14 | # You should have received a copy of the GNU General Public License | |||
|
|
15 | # along with this program; if not, write to the Free Software | |||
|
|
16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |||
|
|
17 | ||||
|
|
18 | require File.expand_path('../../../test_helper', __FILE__) | |||
|
|
19 | ||||
|
|
20 | class Redmine::ApiTest::ApiTest < Redmine::ApiTest::Base | |||
|
|
21 | fixtures :users | |||
|
|
22 | ||||
|
|
23 | def setup | |||
|
|
24 | Setting.rest_api_enabled = '1' | |||
|
|
25 | end | |||
|
|
26 | ||||
|
|
27 | def test_api_should_work_with_protect_from_forgery | |||
|
|
28 | ActionController::Base.allow_forgery_protection = true | |||
|
|
29 | assert_difference('User.count') do | |||
|
|
30 | post '/users.xml', { | |||
|
|
31 | :user => { | |||
|
|
32 | :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname', | |||
|
|
33 | :mail => 'foo@example.net', :password => 'secret123'} | |||
|
|
34 | }, | |||
|
|
35 | credentials('admin') | |||
|
|
36 | assert_response 201 | |||
|
|
37 | end | |||
|
|
38 | ensure | |||
|
|
39 | ActionController::Base.allow_forgery_protection = false | |||
|
|
40 | end | |||
|
|
41 | end No newline at end of file | |||
| @@ -33,13 +33,19 class ApplicationController < ActionController::Base | |||||
| 33 | layout 'base' |
|
33 | layout 'base' | |
| 34 |
|
34 | |||
| 35 | protect_from_forgery |
|
35 | protect_from_forgery | |
|
|
36 | ||||
|
|
37 | def verify_authenticity_token | |||
|
|
38 | unless api_request? | |||
|
|
39 | super | |||
|
|
40 | end | |||
|
|
41 | end | |||
|
|
42 | ||||
| 36 | def handle_unverified_request |
|
43 | def handle_unverified_request | |
| 37 | super |
|
44 | unless api_request? | |
| 38 | cookies.delete(autologin_cookie_name) |
|
45 | super | |
| 39 | if api_request? |
|
46 | cookies.delete(autologin_cookie_name) | |
| 40 | logger.error "API calls must include a proper Content-type header (application/xml or application/json)." |
|
47 | render_error :status => 422, :message => "Invalid form authenticity token." | |
| 41 | end |
|
48 | end | |
| 42 | render_error :status => 422, :message => "Invalid form authenticity token." |
|
|||
| 43 | end |
|
49 | end | |
| 44 |
|
50 | |||
| 45 | before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization |
|
51 | before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization | |
General Comments 0
You need to be logged in to leave comments.
Login now