From 4eb84e1c9153747aa6b1c3259c7f027319555517 Mon Sep 17 00:00:00 2001
From: redfast00 <redfast00@gmail.com>
Date: Wed, 10 Apr 2019 14:14:17 +0200
Subject: [PATCH] Fix CSRF in form submission

---
 .../components/transaction_form.jsx.coffee           |  7 ++++++-
 app/controllers/transactions_controller.rb           | 12 +++++++-----
 app/views/pages/_transaction_form.html.haml          |  2 +-
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/app/assets/javascripts/components/transaction_form.jsx.coffee b/app/assets/javascripts/components/transaction_form.jsx.coffee
index 3924a32..2549a24 100644
--- a/app/assets/javascripts/components/transaction_form.jsx.coffee
+++ b/app/assets/javascripts/components/transaction_form.jsx.coffee
@@ -134,7 +134,7 @@ Step = React.createFactory React.createClass
     e.preventDefault()
 
     { giving, peer } = @state
-    { user }         = @props
+    { user, csrf_token } = @props
 
     errors = @errors()
     if Object.keys(errors).length != 0
@@ -157,6 +157,11 @@ Step = React.createFactory React.createClass
       .attr('value', creditor)
       .attr('type', 'hidden')
       .appendTo(@refs.form)
+    $('<input />')
+      .attr('name', 'authenticity_token')
+      .attr('value', csrf_token)
+      .attr('type', 'hidden')
+      .appendTo(@refs.form)
 
     @refs.form.submit()
   errors: ->
diff --git a/app/controllers/transactions_controller.rb b/app/controllers/transactions_controller.rb
index 234e25a..6361ad9 100644
--- a/app/controllers/transactions_controller.rb
+++ b/app/controllers/transactions_controller.rb
@@ -1,10 +1,12 @@
 class TransactionsController < ApplicationController
-  skip_before_action :verify_authenticity_token, only: :create
+  load_and_authorize_resource :user, find_by: :name
 
-  before_action :authenticate_user!, except: :create
-  before_action :authenticate_user_or_client!, only: :create
-
-  respond_to :js, only: :create
+  def index
+    @transactions = @user.transactions
+    respond_to do |format|
+      format.json { render json: @transactions }
+    end
+  end
 
   def create
     @transaction = Transaction.new(transaction_params)
diff --git a/app/views/pages/_transaction_form.html.haml b/app/views/pages/_transaction_form.html.haml
index 2da34ad..12d58d7 100644
--- a/app/views/pages/_transaction_form.html.haml
+++ b/app/views/pages/_transaction_form.html.haml
@@ -1,3 +1,3 @@
 .card-wrapper
   .card.padded
-    = react_component 'TransactionForm', user: current_user, peers: User.all.order(:name).pluck(:name)
+    = react_component 'TransactionForm', user: current_user, peers: User.all.order(:name).pluck(:name), csrf_token: form_authenticity_token