mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 11:44:49 +08:00
FIX: Skip CSRF check for POST /categories/search (#29392)
This endpoint used to be a GET request, but was changed to POST to allow
larger payloads.
Follow up to commit ebc1763aa5
.
This commit is contained in:
parent
0983e73c2c
commit
2f1d1cd062
|
@ -18,6 +18,7 @@ class CategoriesController < ApplicationController
|
|||
before_action :fetch_category, only: %i[show update destroy visible_groups]
|
||||
before_action :initialize_staff_action_logger, only: %i[create update destroy]
|
||||
skip_before_action :check_xhr, only: %i[index categories_and_latest categories_and_top redirect]
|
||||
skip_before_action :verify_authenticity_token, only: %i[search]
|
||||
|
||||
SYMMETRICAL_CATEGORIES_TO_TOPICS_FACTOR = 1.5
|
||||
MIN_CATEGORIES_TOPICS = 5
|
||||
|
|
|
@ -1504,6 +1504,23 @@ RSpec.describe CategoriesController do
|
|||
expect(response.status).to eq(200)
|
||||
expect(response.parsed_body["categories"].map { |c| c["id"] }).not_to include(category.id)
|
||||
end
|
||||
|
||||
context "when not logged in" do
|
||||
before { ActionController::Base.allow_forgery_protection = true }
|
||||
after { ActionController::Base.allow_forgery_protection = false }
|
||||
|
||||
it "works and is not CSRF protected" do
|
||||
post "/categories/search.json", params: { term: "" }
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.parsed_body["categories"].map { |c| c["id"] }).to contain_exactly(
|
||||
SiteSetting.uncategorized_category_id,
|
||||
category.id,
|
||||
subcategory.id,
|
||||
category2.id,
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe "#hierachical_search" do
|
||||
|
|
Loading…
Reference in New Issue
Block a user