From 2f1d1cd062dc78cf41f2004a80739a389f94dbc8 Mon Sep 17 00:00:00 2001
From: Bianca Nenciu <nbianca@users.noreply.github.com>
Date: Thu, 24 Oct 2024 17:06:21 +0300
Subject: [PATCH] FIX: Skip CSRF check for POST /categories/search (#29392)

This endpoint used to be a GET request, but was changed to POST to allow
larger payloads.

Follow up to commit ebc1763aa5c5224b42ef79680a5d1839ebbd5a85.
---
 app/controllers/categories_controller.rb    |  1 +
 spec/requests/categories_controller_spec.rb | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/app/controllers/categories_controller.rb b/app/controllers/categories_controller.rb
index 558fc168da6..82a8949e641 100644
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@@ -18,6 +18,7 @@ class CategoriesController < ApplicationController
   before_action :fetch_category, only: %i[show update destroy visible_groups]
   before_action :initialize_staff_action_logger, only: %i[create update destroy]
   skip_before_action :check_xhr, only: %i[index categories_and_latest categories_and_top redirect]
+  skip_before_action :verify_authenticity_token, only: %i[search]
 
   SYMMETRICAL_CATEGORIES_TO_TOPICS_FACTOR = 1.5
   MIN_CATEGORIES_TOPICS = 5
diff --git a/spec/requests/categories_controller_spec.rb b/spec/requests/categories_controller_spec.rb
index d4ebd02fcef..fb3749c5fdc 100644
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@@ -1504,6 +1504,23 @@ RSpec.describe CategoriesController do
       expect(response.status).to eq(200)
       expect(response.parsed_body["categories"].map { |c| c["id"] }).not_to include(category.id)
     end
+
+    context "when not logged in" do
+      before { ActionController::Base.allow_forgery_protection = true }
+      after { ActionController::Base.allow_forgery_protection = false }
+
+      it "works and is not CSRF protected" do
+        post "/categories/search.json", params: { term: "" }
+
+        expect(response.status).to eq(200)
+        expect(response.parsed_body["categories"].map { |c| c["id"] }).to contain_exactly(
+          SiteSetting.uncategorized_category_id,
+          category.id,
+          subcategory.id,
+          category2.id,
+        )
+      end
+    end
   end
 
   describe "#hierachical_search" do