From 5d4f1d8ba3d66eea6832f7ce94dd265bff19d6f4 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Mon, 21 Oct 2013 11:38:36 +0200
Subject: [PATCH] let json_csrf always deny, fixes #50

---
 rack-protection/lib/rack/protection/json_csrf.rb | 2 +-
 rack-protection/spec/json_csrf_spec.rb           | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/rack-protection/lib/rack/protection/json_csrf.rb b/rack-protection/lib/rack/protection/json_csrf.rb
index b4a101dd..f163f686 100644
--- a/rack-protection/lib/rack/protection/json_csrf.rb
+++ b/rack-protection/lib/rack/protection/json_csrf.rb
@@ -11,7 +11,7 @@ module Rack
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
     class JsonCsrf < Base
-      default_reaction :deny
+      alias react deny
 
       def call(env)
         request               = Request.new(env)
diff --git a/rack-protection/spec/json_csrf_spec.rb b/rack-protection/spec/json_csrf_spec.rb
index 0b293dc8..264f9483 100644
--- a/rack-protection/spec/json_csrf_spec.rb
+++ b/rack-protection/spec/json_csrf_spec.rb
@@ -44,7 +44,7 @@ describe Rack::Protection::JsonCsrf do
   end
 
   describe 'with drop_session as default reaction' do
-    it 'reset the session' do
+    it 'still denies' do
       mock_app do
         use Rack::Protection, :reaction => :drop_session
         run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
@@ -52,8 +52,7 @@ describe Rack::Protection::JsonCsrf do
 
       session = {:foo => :bar}
       get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
-      last_response.should be_ok
-      session.should be_empty
+      last_response.should_not be_ok
     end
   end
 end