Fix direct uploads to local service

Disable CSRF protection for ActiveStorage::DiskController#update. The local disk service is intended to imitate a third-party service like S3 or GCS, so we don't care where direct uploads originate: they’re authorized by signed tokens.

Closes #30290.

[Shinichi Maeshima & George Claghorn]

activestorage/app/controllers/active_storage/disk_controller.rb

@@ -5,6 +5,8 @@
 # Always go through the BlobsController, or your own authenticated controller, rather than directly
 # to the service url.
 class ActiveStorage::DiskController < ActionController::Base
+  skip_forgery_protection
+
   def show
     if key = decode_verified_key
       send_data disk_service.download(key),

activestorage/test/dummy/config/environments/test.rb

@@ -30,6 +30,9 @@
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
 end

activestorage/test/test_helper.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+ENV["RAILS_ENV"] ||= "test"
 require_relative "dummy/config/environment.rb"
 
 require "bundler/setup"