let json_csrf always deny, fixes #50

2023-03-27 23:18:01 -04:00 · 2013-10-21 11:38:36 +02:00 · 2013-10-21 11:38:36 +02:00 · 5d4f1d8ba3
commit 5d4f1d8ba3
parent a428f6e138
2 changed files with 3 additions and 4 deletions
--- a/rack-protection/lib/rack/protection/json_csrf.rb
+++ b/rack-protection/lib/rack/protection/json_csrf.rb
@ -11,7 +11,7 @@ module Rack
    # Array prototype has been patched to track data. Checks the referrer
    # even on GET requests if the content type is JSON.
    class JsonCsrf < Base
-      default_reaction :deny
+      alias react deny

      def call(env)
        request               = Request.new(env)
--- a/rack-protection/spec/json_csrf_spec.rb
+++ b/rack-protection/spec/json_csrf_spec.rb
@ -44,7 +44,7 @@ describe Rack::Protection::JsonCsrf do
  end

  describe 'with drop_session as default reaction' do
-    it 'reset the session' do
+    it 'still denies' do
      mock_app do
        use Rack::Protection, :reaction => :drop_session
        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
@ -52,8 +52,7 @@ describe Rack::Protection::JsonCsrf do

      session = {:foo => :bar}
      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
-      last_response.should be_ok
-      session.should be_empty
+      last_response.should_not be_ok
    end
  end
 end