From 66716023e4ef7ce483128cff5b2c6c68520a5dbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Sat, 16 Jun 2012 14:51:37 +0200 Subject: [PATCH] Disable storage on CSRF --- lib/devise/controllers/helpers.rb | 1 + lib/devise/strategies/authenticatable.rb | 2 +- lib/devise/strategies/base.rb | 5 +++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/devise/controllers/helpers.rb b/lib/devise/controllers/helpers.rb index 471ac258..8f847c24 100644 --- a/lib/devise/controllers/helpers.rb +++ b/lib/devise/controllers/helpers.rb @@ -255,6 +255,7 @@ module Devise def handle_unverified_request sign_out_all_scopes warden.clear_strategies_cache! + request.env["devise.skip_storage"] = true expire_devise_cached_variables! super # call the default behaviour which resets the session end diff --git a/lib/devise/strategies/authenticatable.rb b/lib/devise/strategies/authenticatable.rb index 1abd2afe..df8bd2f6 100644 --- a/lib/devise/strategies/authenticatable.rb +++ b/lib/devise/strategies/authenticatable.rb @@ -9,7 +9,7 @@ module Devise attr_accessor :authentication_hash, :authentication_type, :password def store? - !mapping.to.skip_session_storage.include?(authentication_type) + super && !mapping.to.skip_session_storage.include?(authentication_type) end def valid? diff --git a/lib/devise/strategies/base.rb b/lib/devise/strategies/base.rb index 8bbec932..6f182113 100644 --- a/lib/devise/strategies/base.rb +++ b/lib/devise/strategies/base.rb @@ -2,6 +2,11 @@ module Devise module Strategies # Base strategy for Devise. Responsible for verifying correct scope and mapping. class Base < ::Warden::Strategies::Base + # Whenever CSRF cannot be verified, we turn off any kind of storage + def store? + !env["devise.skip_storage"] + end + # Checks if a valid scope was given for devise and find mapping based on this scope. def mapping @mapping ||= begin