diff --git a/Gemfile.lock b/Gemfile.lock index 8fa7b358..5087d71e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -45,7 +45,7 @@ PATH mimetype-fu (~> 0.1.2) mongo (~> 1.5.2) mongoid (~> 2.4.9) - multi_json (= 1.3.4) + multi_json (~> 1.3.4) rack-cache (~> 1.1) rails (~> 3.2.3) rails-backbone (~> 0.6.1) @@ -109,7 +109,7 @@ GEM carrierwave-mongoid (0.1.3) carrierwave (>= 0.5.6) mongoid (~> 2.1) - cells (3.8.3) + cells (3.8.5) actionpack (~> 3.0) railties (~> 3.0) childprocess (0.3.2) @@ -123,13 +123,12 @@ GEM coffee-script (2.2.0) coffee-script-source execjs - coffee-script-source (1.3.1) - cucumber (1.1.9) + coffee-script-source (1.3.3) + cucumber (1.2.0) builder (>= 2.1.2) - diff-lcs (>= 1.1.2) - gherkin (~> 2.9.0) + diff-lcs (>= 1.1.3) + gherkin (~> 2.10.0) json (>= 1.4.6) - term-ansicolor (>= 1.0.6) cucumber-rails (1.3.0) capybara (>= 1.1.2) cucumber (>= 1.1.8) @@ -149,7 +148,7 @@ GEM ejs (1.0.0) erubis (2.7.0) excon (0.13.4) - execjs (1.3.1) + execjs (1.4.0) multi_json (~> 1.0) factory_girl (2.5.2) activesupport (>= 2.3.9) @@ -169,14 +168,14 @@ GEM net-ssh (>= 2.1.3) nokogiri (~> 1.5.0) ruby-hmac - formatador (0.2.1) + formatador (0.2.3) formtastic (2.0.2) rails (~> 3.0) fssm (0.2.9) - gherkin (2.9.3) + gherkin (2.10.0) json (>= 1.4.6) - haml (3.1.4) - highline (1.6.11) + haml (3.1.6) + highline (1.6.12) hike (1.2.1) httparty (0.8.3) multi_json (~> 1.0) @@ -186,7 +185,8 @@ GEM jquery-rails (1.0.19) railties (~> 3.0) thor (~> 0.14) - json (1.7.0) + jruby-pageant (1.0.2) + json (1.7.3) json_spec (1.0.3) multi_json (~> 1.0) rspec (~> 2.0) @@ -215,15 +215,16 @@ GEM mocha (0.9.12) mongo (1.5.2) bson (= 1.5.2) - mongoid (2.4.9) + mongoid (2.4.10) activemodel (~> 3.1) mongo (~> 1.3) tzinfo (~> 0.3.22) - multi_json (1.3.4) - multi_xml (0.4.4) + multi_json (1.3.5) + multi_xml (0.5.1) net-scp (1.0.4) net-ssh (>= 1.99.1) - net-ssh (2.3.0) + net-ssh (2.4.0) + jruby-pageant (>= 1.0.2) nokogiri (1.5.2) orm_adapter (0.0.7) pickle (0.4.10) @@ -256,7 +257,7 @@ GEM rake (>= 0.8.7) rdoc (~> 3.4) thor (~> 0.14.6) - raindrops (0.8.0) + raindrops (0.9.0) rake (0.9.2.2) rdoc (3.12) json (~> 1.4) @@ -283,7 +284,7 @@ GEM rubyzip (0.9.8) sanitize (2.0.3) nokogiri (>= 1.4.4, < 1.6) - sass (3.1.17) + sass (3.1.18) sass-rails (3.2.5) railties (~> 3.2.0) sass (>= 3.1.10) @@ -300,7 +301,6 @@ GEM hike (~> 1.2) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - term-ansicolor (1.0.7) thor (0.14.6) tilt (1.3.3) treetop (1.4.10) @@ -315,7 +315,7 @@ GEM rack raindrops (~> 0.7) unidecoder (1.1.1) - warden (1.1.1) + warden (1.2.0) rack (>= 1.0) xpath (0.1.4) nokogiri (~> 1.3) diff --git a/app/controllers/locomotive/public/content_entries_controller.rb b/app/controllers/locomotive/public/content_entries_controller.rb index 605c15a6..37dfe46f 100644 --- a/app/controllers/locomotive/public/content_entries_controller.rb +++ b/app/controllers/locomotive/public/content_entries_controller.rb @@ -6,8 +6,6 @@ module Locomotive before_filter :sanitize_entry_params, :only => :create - skip_before_filter :verify_authenticity_token - skip_load_and_authorize_resource self.responder = Locomotive::ActionController::PublicResponder # custom responder @@ -17,7 +15,6 @@ module Locomotive def create @entry = @content_type.entries.create(params[:entry] || params[:content]) flash[@content_type.slug.singularize] = @entry.to_presenter(:include_errors => true).as_json - Rails.logger.debug @entry.to_presenter(:include_errors => true).as_json respond_with @entry, :location => self.callback_url end @@ -48,6 +45,13 @@ module Locomotive end end + def handle_unverified_request + if Locomotive.config.csrf_protection + reset_session + redirect_to '/', :status => 302 + end + end + end end end diff --git a/features/public/contact_form.feature b/features/public/contact_form.feature index cf1a3897..0705445d 100644 --- a/features/public/contact_form.feature +++ b/features/public/contact_form.feature @@ -4,6 +4,7 @@ Feature: Contact form I want to be able to send them a message Background: + Given I enable the CSRF protection for public submission requests Given I have the site: "test site" set up And I have a custom model named "Messages" with | label | type | required | @@ -16,6 +17,7 @@ Feature: Contact form