Explicitly add `protect_from_forgery` action

Otherwise the token might be cleared before authentication is done, causing the authentication itself to fail
author: Bob Van Landuyt <bob@vanlanduyt.co> 2017-07-24 15:53:30 +0300
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2017-07-25 00:28:07 +0300
commit: fa9adb6599ae20c8522c92c9a0d670633fe3d5b0 (patch)
tree: 37eb6d21cd924a7514d523987d80fe69096d338f /app/controllers/sessions_controller.rb
parent: d3f5e78bf22444c5fc1d7af253473fa5478a86c8 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 0e8a57f8e03..69513f4dadc 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -5,6 +5,14 @@ class SessionsController < Devise::SessionsController
 
   skip_before_action :check_two_factor_requirement, only: [:destroy]
 
+  # Explicitly call protect from forgery before anything else. Otherwise the
+  # CSFR-token might be cleared before authentication is done. This was the case
+  # when LDAP was enabled and the `OmniauthCallbacksController` is loaded
+  #
+  # *Note:* `prepend: true` is the default for rails4, but this will be changed
+  # to `prepend: false` in rails5.
+  protect_from_forgery prepend: true, with: :exception
+
   prepend_before_action :check_initial_setup, only: [:new]
   prepend_before_action :authenticate_with_two_factor,
     if: :two_factor_enabled?, only: [:create]
author	Bob Van Landuyt <bob@vanlanduyt.co>	2017-07-24 15:53:30 +0300
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2017-07-25 00:28:07 +0300
commit	fa9adb6599ae20c8522c92c9a0d670633fe3d5b0 (patch)
tree	37eb6d21cd924a7514d523987d80fe69096d338f /app/controllers/sessions_controller.rb
parent	d3f5e78bf22444c5fc1d7af253473fa5478a86c8 (diff)