| @@ -0,0 +1,41 | |||
|
|
1 | # Redmine - project management software | |
|
|
2 | # Copyright (C) 2006-2013 Jean-Philippe Lang | |
|
|
3 | # | |
|
|
4 | # This program is free software; you can redistribute it and/or | |
|
|
5 | # modify it under the terms of the GNU General Public License | |
|
|
6 | # as published by the Free Software Foundation; either version 2 | |
|
|
7 | # of the License, or (at your option) any later version. | |
|
|
8 | # | |
|
|
9 | # This program is distributed in the hope that it will be useful, | |
|
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
|
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
|
|
12 | # GNU General Public License for more details. | |
|
|
13 | # | |
|
|
14 | # You should have received a copy of the GNU General Public License | |
|
|
15 | # along with this program; if not, write to the Free Software | |
|
|
16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |
|
|
17 | ||
|
|
18 | require File.expand_path('../../../test_helper', __FILE__) | |
|
|
19 | ||
|
|
20 | class Redmine::ApiTest::ApiTest < Redmine::ApiTest::Base | |
|
|
21 | fixtures :users | |
|
|
22 | ||
|
|
23 | def setup | |
|
|
24 | Setting.rest_api_enabled = '1' | |
|
|
25 | end | |
|
|
26 | ||
|
|
27 | def test_api_should_work_with_protect_from_forgery | |
|
|
28 | ActionController::Base.allow_forgery_protection = true | |
|
|
29 | assert_difference('User.count') do | |
|
|
30 | post '/users.xml', { | |
|
|
31 | :user => { | |
|
|
32 | :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname', | |
|
|
33 | :mail => 'foo@example.net', :password => 'secret123'} | |
|
|
34 | }, | |
|
|
35 | credentials('admin') | |
|
|
36 | assert_response 201 | |
|
|
37 | end | |
|
|
38 | ensure | |
|
|
39 | ActionController::Base.allow_forgery_protection = false | |
|
|
40 | end | |
|
|
41 | end No newline at end of file | |
| @@ -33,13 +33,19 class ApplicationController < ActionController::Base | |||
|
|
33 | 33 | layout 'base' |
|
|
34 | 34 | |
|
|
35 | 35 | protect_from_forgery |
|
|
36 | ||
|
|
37 | def verify_authenticity_token | |
|
|
38 | unless api_request? | |
|
|
39 | super | |
|
|
40 | end | |
|
|
41 | end | |
|
|
42 | ||
|
|
36 | 43 | def handle_unverified_request |
|
|
37 | super | |
|
|
38 | cookies.delete(autologin_cookie_name) | |
|
|
39 | if api_request? | |
|
|
40 | logger.error "API calls must include a proper Content-type header (application/xml or application/json)." | |
|
|
44 | unless api_request? | |
|
|
45 | super | |
|
|
46 | cookies.delete(autologin_cookie_name) | |
|
|
47 | render_error :status => 422, :message => "Invalid form authenticity token." | |
|
|
41 | 48 | end |
|
|
42 | render_error :status => 422, :message => "Invalid form authenticity token." | |
|
|
43 | 49 | end |
|
|
44 | 50 | |
|
|
45 | 51 | before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization |
General Comments 0
You need to be logged in to leave comments.
Login now