Merge pull request #8381 from SuperTux88/fix-forgery-protection-for-federation

Bump diaspora_federation and enable forgery protection by default again

4 files changed, 12 insertions, 18 deletions

diff --git a/Gemfile b/Gemfile
index 56d4904d7..9a0a48222 100644
--- a/Gemfile
+++ b/Gemfile
@@ -15,8 +15,8 @@ gem "unicorn-worker-killer", "0.4.5"
 
 # Federation
 
-gem "diaspora_federation-json_schema", "1.0.0"
-gem "diaspora_federation-rails", "1.0.0"
+gem "diaspora_federation-json_schema", "1.0.1"
+gem "diaspora_federation-rails",       "1.0.1"
 
 # API and JSON
 
@@ -245,7 +245,7 @@ group :test do
   gem "timecop",           "0.9.5"
   gem "webmock",           "3.14.0", require: false
 
-  gem "diaspora_federation-test", "1.0.0"
+  gem "diaspora_federation-test", "1.0.1"
 end
 
 group :development, :test do
diff --git a/Gemfile.lock b/Gemfile.lock
index c02c73753..554a667cb 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -209,18 +209,18 @@ GEM
     devise_lastseenable (0.0.6)
       devise
       rails (>= 3.0.4)
-    diaspora_federation (1.0.0)
+    diaspora_federation (1.0.1)
       faraday (>= 1.0, < 3)
       faraday-follow_redirects (~> 0.3)
       nokogiri (~> 1.6, >= 1.6.8)
       typhoeus (~> 1.0)
       valid (~> 1.0)
-    diaspora_federation-json_schema (1.0.0)
-    diaspora_federation-rails (1.0.0)
+    diaspora_federation-json_schema (1.0.1)
+    diaspora_federation-rails (1.0.1)
       actionpack (>= 5.2, < 8)
-      diaspora_federation (= 1.0.0)
-    diaspora_federation-test (1.0.0)
-      diaspora_federation (= 1.0.0)
+      diaspora_federation (= 1.0.1)
+    diaspora_federation-test (1.0.1)
+      diaspora_federation (= 1.0.1)
       fabrication (~> 2.29)
       uuid (~> 2.3, >= 2.3.8)
     diff-lcs (1.5.0)
@@ -800,9 +800,9 @@ DEPENDENCIES
   devise (= 4.8.1)
   devise-two-factor (= 4.0.2)
   devise_lastseenable (= 0.0.6)
-  diaspora_federation-json_schema (= 1.0.0)
-  diaspora_federation-rails (= 1.0.0)
-  diaspora_federation-test (= 1.0.0)
+  diaspora_federation-json_schema (= 1.0.1)
+  diaspora_federation-rails (= 1.0.1)
+  diaspora_federation-test (= 1.0.1)
   eye (= 0.10.0)
   factory_bot_rails (= 6.2.0)
   faraday (= 1.10.0)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c1a16ff94..ec46be826 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -7,7 +7,6 @@
 class ApplicationController < ActionController::Base
   before_action :force_tablet_html
   has_mobile_fu
-  protect_from_forgery except: :receive, with: :exception, prepend: true
 
   rescue_from ActionController::InvalidAuthenticityToken do
     if user_signed_in?
diff --git a/config/application.rb b/config/application.rb
index 9b1c1050b..7594255f8 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -39,11 +39,6 @@ module Diaspora
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
-    # We specify CSRF protection manually in ApplicationController with
-    # protect_from_forgery - having it enabled anywhere by default breaks
-    # federation.
-    config.action_controller.default_protect_from_forgery = false
-
     # Enable the asset pipeline
     config.assets.enabled = true