Protect all active storage controllers agains CSRF
Before it was possible to for example use the direct upload controller without using the site.
This commit is contained in:
parent
b71b8ecc4e
commit
03bd370c02
|
@ -0,0 +1,6 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
# The base controller for all ActiveStorage controllers.
|
||||
class ActiveStorage::BaseController < ActionController::Base
|
||||
protect_from_forgery with: :exception
|
||||
end
|
|
@ -4,7 +4,7 @@
|
|||
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
|
||||
# security-through-obscurity factor of the signed blob references, you'll need to implement your own
|
||||
# authenticated redirection controller.
|
||||
class ActiveStorage::BlobsController < ActionController::Base
|
||||
class ActiveStorage::BlobsController < ActiveStorage::BaseController
|
||||
include ActiveStorage::SetBlob
|
||||
|
||||
def show
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# Creates a new blob on the server side in anticipation of a direct-to-service upload from the client side.
|
||||
# When the client-side upload is completed, the signed_blob_id can be submitted as part of the form to reference
|
||||
# the blob that was created up front.
|
||||
class ActiveStorage::DirectUploadsController < ActionController::Base
|
||||
class ActiveStorage::DirectUploadsController < ActiveStorage::BaseController
|
||||
def create
|
||||
blob = ActiveStorage::Blob.create_before_direct_upload!(blob_args)
|
||||
render json: direct_upload_json(blob)
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
# This means using expiring, signed URLs that are meant for immediate access, not permanent linking.
|
||||
# Always go through the BlobsController, or your own authenticated controller, rather than directly
|
||||
# to the service url.
|
||||
class ActiveStorage::DiskController < ActionController::Base
|
||||
skip_forgery_protection if default_protect_from_forgery
|
||||
class ActiveStorage::DiskController < ActiveStorage::BaseController
|
||||
skip_forgery_protection
|
||||
|
||||
def show
|
||||
if key = decode_verified_key
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
|
||||
# security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
|
||||
# authenticated redirection controller.
|
||||
class ActiveStorage::RepresentationsController < ActionController::Base
|
||||
class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
|
||||
include ActiveStorage::SetBlob
|
||||
|
||||
def show
|
||||
|
|
Loading…
Reference in New Issue