Fix direct uploads to local service
Disable CSRF protection for ActiveStorage::DiskController#update. The local disk service is intended to imitate a third-party service like S3 or GCS, so we don't care where direct uploads originate: they’re authorized by signed tokens. Closes #30290. [Shinichi Maeshima & George Claghorn]
This commit is contained in:
parent
951e2715b5
commit
2d20a7696a
@ -5,6 +5,8 @@
|
||||
# Always go through the BlobsController, or your own authenticated controller, rather than directly
|
||||
# to the service url.
|
||||
class ActiveStorage::DiskController < ActionController::Base
|
||||
skip_forgery_protection
|
||||
|
||||
def show
|
||||
if key = decode_verified_key
|
||||
send_data disk_service.download(key),
|
||||
|
@ -30,6 +30,9 @@
|
||||
# Print deprecation notices to the stderr.
|
||||
config.active_support.deprecation = :stderr
|
||||
|
||||
# Disable request forgery protection in test environment.
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
|
||||
# Raises error for missing translations
|
||||
# config.action_view.raise_on_missing_translations = true
|
||||
end
|
||||
|
@ -1,5 +1,6 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
ENV["RAILS_ENV"] ||= "test"
|
||||
require_relative "dummy/config/environment.rb"
|
||||
|
||||
require "bundler/setup"
|
||||
|
Loading…
Reference in New Issue
Block a user