From: Tom Hughes Date: Fri, 30 Sep 2011 08:57:59 +0000 (+0100) Subject: Disable CSRF token verification for API methods X-Git-Tag: live~6034 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/071c3581e94552e5da08a2eed14e9a69e4f87e4f Disable CSRF token verification for API methods --- diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb index 329fab573..b472ae05c 100644 --- a/app/controllers/amf_controller.rb +++ b/app/controllers/amf_controller.rb @@ -41,6 +41,7 @@ class AmfController < ApplicationController # Help methods for checking boundary sanity and area size include MapBoundary + skip_before_filter :verify_authenticity_token before_filter :check_api_writable # Main AMF handlers: process the raw AMF string (using AMF library) and diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 35fc86c52..b9bb5fe59 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -1,5 +1,6 @@ class ApiController < ApplicationController + skip_before_filter :verify_authenticity_token before_filter :check_api_readable, :except => [:capabilities] after_filter :compress_output around_filter :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/changeset_controller.rb b/app/controllers/changeset_controller.rb index ca501fd43..c45b211d4 100644 --- a/app/controllers/changeset_controller.rb +++ b/app/controllers/changeset_controller.rb @@ -4,6 +4,7 @@ class ChangesetController < ApplicationController layout 'site' require 'xml/libxml' + skip_before_filter :verify_authenticity_token, :except => [:list] before_filter :authorize_web, :only => [:list] before_filter :set_locale, :only => [:list] before_filter :authorize, :only => [:create, :update, :delete, :upload, :include, :close] diff --git a/app/controllers/node_controller.rb b/app/controllers/node_controller.rb index 19eb77163..5064a3c0b 100644 --- a/app/controllers/node_controller.rb +++ b/app/controllers/node_controller.rb @@ -3,6 +3,7 @@ class NodeController < ApplicationController require 'xml/libxml' + skip_before_filter :verify_authenticity_token before_filter :authorize, :only => [:create, :update, :delete] before_filter :require_allow_write_api, :only => [:create, :update, :delete] before_filter :require_public_data, :only => [:create, :update, :delete] diff --git a/app/controllers/old_node_controller.rb b/app/controllers/old_node_controller.rb index 4a1253034..615213ac1 100644 --- a/app/controllers/old_node_controller.rb +++ b/app/controllers/old_node_controller.rb @@ -1,6 +1,7 @@ class OldNodeController < ApplicationController require 'xml/libxml' + skip_before_filter :verify_authenticity_token before_filter :check_api_readable after_filter :compress_output around_filter :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/old_relation_controller.rb b/app/controllers/old_relation_controller.rb index 771b322ee..19b4e5d34 100644 --- a/app/controllers/old_relation_controller.rb +++ b/app/controllers/old_relation_controller.rb @@ -1,6 +1,7 @@ class OldRelationController < ApplicationController require 'xml/libxml' + skip_before_filter :verify_authenticity_token before_filter :check_api_readable after_filter :compress_output around_filter :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/old_way_controller.rb b/app/controllers/old_way_controller.rb index c20212df4..3836d4ab7 100644 --- a/app/controllers/old_way_controller.rb +++ b/app/controllers/old_way_controller.rb @@ -1,6 +1,7 @@ class OldWayController < ApplicationController require 'xml/libxml' + skip_before_filter :verify_authenticity_token before_filter :check_api_readable after_filter :compress_output around_filter :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/relation_controller.rb b/app/controllers/relation_controller.rb index 10328aae4..0b989d11e 100644 --- a/app/controllers/relation_controller.rb +++ b/app/controllers/relation_controller.rb @@ -1,6 +1,7 @@ class RelationController < ApplicationController require 'xml/libxml' + skip_before_filter :verify_authenticity_token before_filter :authorize, :only => [:create, :update, :delete] before_filter :require_allow_write_api, :only => [:create, :update, :delete] before_filter :require_public_data, :only => [:create, :update, :delete] diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 210e0811b..408b4a662 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -2,6 +2,7 @@ class SearchController < ApplicationController # Support searching for nodes, ways, or all # Can search by tag k, v, or both (type->k,value->v) # Can search by name (k=name,v=....) + skip_before_filter :verify_authenticity_token after_filter :compress_output def search_all diff --git a/app/controllers/swf_controller.rb b/app/controllers/swf_controller.rb index 0e7e15bbf..10ec815db 100644 --- a/app/controllers/swf_controller.rb +++ b/app/controllers/swf_controller.rb @@ -1,4 +1,5 @@ class SwfController < ApplicationController + skip_before_filter :verify_authenticity_token before_filter :check_api_readable # to log: diff --git a/app/controllers/trace_controller.rb b/app/controllers/trace_controller.rb index 1ca28246f..cdfa5e3cb 100644 --- a/app/controllers/trace_controller.rb +++ b/app/controllers/trace_controller.rb @@ -1,6 +1,7 @@ class TraceController < ApplicationController layout 'site' + skip_before_filter :verify_authenticity_token, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] before_filter :authorize_web before_filter :set_locale before_filter :require_user, :only => [:mine, :create, :edit, :delete] diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index fa93313b3..16b76196b 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -1,6 +1,7 @@ class UserController < ApplicationController layout :choose_layout + skip_before_filter :verify_authenticity_token, :only => [:api_details, :api_gpx_files] before_filter :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details] before_filter :authorize, :only => [:api_details, :api_gpx_files] before_filter :authorize_web, :except => [:api_details, :api_gpx_files] diff --git a/app/controllers/user_preference_controller.rb b/app/controllers/user_preference_controller.rb index d02313497..377e78313 100644 --- a/app/controllers/user_preference_controller.rb +++ b/app/controllers/user_preference_controller.rb @@ -1,5 +1,6 @@ # Update and read user preferences, which are arbitrayr key/val pairs class UserPreferenceController < ApplicationController + skip_before_filter :verify_authenticity_token before_filter :authorize before_filter :require_allow_read_prefs, :only => [:read_one, :read] before_filter :require_allow_write_prefs, :except => [:read_one, :read] diff --git a/app/controllers/way_controller.rb b/app/controllers/way_controller.rb index e20eb1a79..c3ffe3c0f 100644 --- a/app/controllers/way_controller.rb +++ b/app/controllers/way_controller.rb @@ -1,6 +1,7 @@ class WayController < ApplicationController require 'xml/libxml' + skip_before_filter :verify_authenticity_token before_filter :authorize, :only => [:create, :update, :delete] before_filter :require_allow_write_api, :only => [:create, :update, :delete] before_filter :require_public_data, :only => [:create, :update, :delete]