Fix CSRF in form submission

This commit is contained in:
redfast00 2019-04-10 14:14:17 +02:00
parent 51a045dae9
commit 4eb84e1c91
No known key found for this signature in database
GPG key ID: 5946E0E34FD0553C
3 changed files with 14 additions and 7 deletions

View file

@ -134,7 +134,7 @@ Step = React.createFactory React.createClass
e.preventDefault()
{ giving, peer } = @state
{ user } = @props
{ user, csrf_token } = @props
errors = @errors()
if Object.keys(errors).length != 0
@ -157,6 +157,11 @@ Step = React.createFactory React.createClass
.attr('value', creditor)
.attr('type', 'hidden')
.appendTo(@refs.form)
$('<input />')
.attr('name', 'authenticity_token')
.attr('value', csrf_token)
.attr('type', 'hidden')
.appendTo(@refs.form)
@refs.form.submit()
errors: ->

View file

@ -1,10 +1,12 @@
class TransactionsController < ApplicationController
skip_before_action :verify_authenticity_token, only: :create
load_and_authorize_resource :user, find_by: :name
before_action :authenticate_user!, except: :create
before_action :authenticate_user_or_client!, only: :create
respond_to :js, only: :create
def index
@transactions = @user.transactions
respond_to do |format|
format.json { render json: @transactions }
end
end
def create
@transaction = Transaction.new(transaction_params)

View file

@ -1,3 +1,3 @@
.card-wrapper
.card.padded
= react_component 'TransactionForm', user: current_user, peers: User.all.order(:name).pluck(:name)
= react_component 'TransactionForm', user: current_user, peers: User.all.order(:name).pluck(:name), csrf_token: form_authenticity_token