Explicitly add `protect_from_forgery` action
Otherwise the token might be cleared before authentication is done, causing the authentication itself to fail
This commit is contained in:
parent
d3f5e78bf2
commit
fa9adb6599
|
@ -5,6 +5,14 @@ class SessionsController < Devise::SessionsController
|
|||
|
||||
skip_before_action :check_two_factor_requirement, only: [:destroy]
|
||||
|
||||
# Explicitly call protect from forgery before anything else. Otherwise the
|
||||
# CSFR-token might be cleared before authentication is done. This was the case
|
||||
# when LDAP was enabled and the `OmniauthCallbacksController` is loaded
|
||||
#
|
||||
# *Note:* `prepend: true` is the default for rails4, but this will be changed
|
||||
# to `prepend: false` in rails5.
|
||||
protect_from_forgery prepend: true, with: :exception
|
||||
|
||||
prepend_before_action :check_initial_setup, only: [:new]
|
||||
prepend_before_action :authenticate_with_two_factor,
|
||||
if: :two_factor_enabled?, only: [:create]
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Fix cross site request protection when logging in as a regular user when LDAP
|
||||
is enabled
|
||||
merge_request: 13049
|
||||
author:
|
Loading…
Reference in New Issue