FIX: Skip CSRF check for POST /categories/search (#29392)

This endpoint used to be a GET request, but was changed to POST to allow larger payloads. Follow up to commit ebc1763aa5.
2024-11-22 06:28:57 +08:00 · 2024-10-24 17:06:21 +03:00 · 2024-10-24 17:06:21 +03:00 · 2f1d1cd062
commit 2f1d1cd062
parent 0983e73c2c
2 changed files with 18 additions and 0 deletions
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@ -18,6 +18,7 @@ class CategoriesController < ApplicationController
  before_action :fetch_category, only: %i[show update destroy visible_groups]
  before_action :initialize_staff_action_logger, only: %i[create update destroy]
  skip_before_action :check_xhr, only: %i[index categories_and_latest categories_and_top redirect]
+  skip_before_action :verify_authenticity_token, only: %i[search]

  SYMMETRICAL_CATEGORIES_TO_TOPICS_FACTOR = 1.5
  MIN_CATEGORIES_TOPICS = 5
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@ -1504,6 +1504,23 @@ RSpec.describe CategoriesController do
      expect(response.status).to eq(200)
      expect(response.parsed_body["categories"].map { |c| c["id"] }).not_to include(category.id)
    end
+
+    context "when not logged in" do
+      before { ActionController::Base.allow_forgery_protection = true }
+      after { ActionController::Base.allow_forgery_protection = false }
+
+      it "works and is not CSRF protected" do
+        post "/categories/search.json", params: { term: "" }
+
+        expect(response.status).to eq(200)
+        expect(response.parsed_body["categories"].map { |c| c["id"] }).to contain_exactly(
+          SiteSetting.uncategorized_category_id,
+          category.id,
+          subcategory.id,
+          category2.id,
+        )
+      end
+    end
  end

  describe "#hierachical_search" do