monorail
/
mastodon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix admin API unconditionally requiring CSRF token (#17975) 

Fixes #17898

Since #17204, the admin API has only been available through the web
application because of the unconditional requirement to provide a valid CSRF
token.

This commit changes it back to `null_session`, which should make it work
both with session-based authentication (provided a CSRF token) and with a
bearer token.
This commit is contained in:
Claire 2022-04-06 20:57:18 +02:00 committed by GitHub
parent d116cb7733
commit 62c6e12fa5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 0 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/api/v1/admin/account_actions_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::AccountActionsController < Api::BaseController class Api::V1::Admin::AccountActionsController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' } before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' }
before_action :require_staff! before_action :require_staff!
before_action :set_account before_action :set_account

2
app/controllers/api/v1/admin/accounts_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::AccountsController < Api::BaseController class Api::V1::Admin::AccountsController < Api::BaseController
protect_from_forgery with: :exception
include Authorization include Authorization
include AccountableConcern include AccountableConcern

2
app/controllers/api/v1/admin/dimensions_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::DimensionsController < Api::BaseController class Api::V1::Admin::DimensionsController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' } before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff! before_action :require_staff!
before_action :set_dimensions before_action :set_dimensions

2
app/controllers/api/v1/admin/measures_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::MeasuresController < Api::BaseController class Api::V1::Admin::MeasuresController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' } before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff! before_action :require_staff!
before_action :set_measures before_action :set_measures

2
app/controllers/api/v1/admin/reports_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::ReportsController < Api::BaseController class Api::V1::Admin::ReportsController < Api::BaseController
protect_from_forgery with: :exception
include Authorization include Authorization
include AccountableConcern include AccountableConcern

2
app/controllers/api/v1/admin/retention_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::RetentionController < Api::BaseController class Api::V1::Admin::RetentionController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' } before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff! before_action :require_staff!
before_action :set_cohorts before_action :set_cohorts

2
app/controllers/api/v1/admin/trends/links_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::Trends::LinksController < Api::BaseController class Api::V1::Admin::Trends::LinksController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' } before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff! before_action :require_staff!
before_action :set_links before_action :set_links

2
app/controllers/api/v1/admin/trends/statuses_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::Trends::StatusesController < Api::BaseController class Api::V1::Admin::Trends::StatusesController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' } before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff! before_action :require_staff!
before_action :set_statuses before_action :set_statuses

2
app/controllers/api/v1/admin/trends/tags_controller.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Admin::Trends::TagsController < Api::BaseController class Api::V1::Admin::Trends::TagsController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' } before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff! before_action :require_staff!
before_action :set_tags before_action :set_tags