Fix CSRF in form submission

2019-04-10 14:14:17 +02:00 · 2019-04-10 14:14:17 +02:00 · 4eb84e1c91
parent 51a045dae9
commit 4eb84e1c91
3 changed files with 14 additions and 7 deletions
--- a/app/assets/javascripts/components/transaction_form.jsx.coffee
+++ b/app/assets/javascripts/components/transaction_form.jsx.coffee
@ -134,7 +134,7 @@ Step = React.createFactory React.createClass
    e.preventDefault()

    { giving, peer } = @state
-    { user }         = @props
+    { user, csrf_token } = @props

    errors = @errors()
    if Object.keys(errors).length != 0
@ -157,6 +157,11 @@ Step = React.createFactory React.createClass
      .attr('value', creditor)
      .attr('type', 'hidden')
      .appendTo(@refs.form)
+    $('<input />')
+      .attr('name', 'authenticity_token')
+      .attr('value', csrf_token)
+      .attr('type', 'hidden')
+      .appendTo(@refs.form)

    @refs.form.submit()
  errors: ->
--- a/app/controllers/transactions_controller.rb
+++ b/app/controllers/transactions_controller.rb
@ -1,10 +1,12 @@
 class TransactionsController < ApplicationController
-  skip_before_action :verify_authenticity_token, only: :create
+  load_and_authorize_resource :user, find_by: :name

-  before_action :authenticate_user!, except: :create
-  before_action :authenticate_user_or_client!, only: :create
-
-  respond_to :js, only: :create
+  def index
+    @transactions = @user.transactions
+    respond_to do |format|
+      format.json { render json: @transactions }
+    end
+  end

  def create
    @transaction = Transaction.new(transaction_params)
--- a/app/views/pages/_transaction_form.html.haml
+++ b/app/views/pages/_transaction_form.html.haml
@ -1,3 +1,3 @@
 .card-wrapper
  .card.padded
-    = react_component 'TransactionForm', user: current_user, peers: User.all.order(:name).pluck(:name)
+    = react_component 'TransactionForm', user: current_user, peers: User.all.order(:name).pluck(:name), csrf_token: form_authenticity_token