Merge pull request #164 from finnlabs/fix/csrf_for_server_virables_show

Skip Cross-site request forgery (CSRF) protection for show action
9 years ago · 93a8311950
parent a5f35c3f90 7f078624da
commit 93a8311950
11 changed files with 8 additions and 114 deletions
--- a/app/controllers/rb_server_variables_controller.rb
+++ b/app/controllers/rb_server_variables_controller.rb
@ -1,42 +0,0 @@
-#-- copyright
-# OpenProject Backlogs Plugin
-#
-# Copyright (C)2013-2014 the OpenProject Foundation (OPF)
-# Copyright (C)2011 Stephan Eckardt, Tim Felgentreff, Marnen Laibow-Koser, Sandro Munda
-# Copyright (C)2010-2011 friflaj
-# Copyright (C)2010 Maxime Guilbot, Andrew Vit, Joakim Kolsjö, ibussieres, Daniel Passos, Jason Vasquez, jpic, Emiliano Heyns
-# Copyright (C)2009-2010 Mark Maglana
-# Copyright (C)2009 Joe Heck, Nate Lowrie
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License version 3.
-#
-# OpenProject Backlogs is a derivative work based on ChiliProject Backlogs.
-# The copyright follows:
-# Copyright (C) 2010-2011 - Emiliano Heyns, Mark Maglana, friflaj
-# Copyright (C) 2011 - Jens Ulferts, Gregor Schmidt - Finn GmbH - Berlin, Germany
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-# See doc/COPYRIGHT.rdoc for more details.
-#++
-
-class RbServerVariablesController < RbApplicationController
-  def show
-    respond_to do |format|
-      format.js { render layout: false }
-    end
-  end
-end
--- a/app/views/rb_master_backlogs/index.html.erb
+++ b/app/views/rb_master_backlogs/index.html.erb
@ -35,12 +35,8 @@ See doc/COPYRIGHT.rdoc for more details.
 ++#%>

 <% content_for :header_tags do %>
-<%= render :partial => 'shared/backlogs_header' %>
+  <%= render :partial => 'shared/backlogs_header' %>
  <%= stylesheet_link_tag 'backlogs/master_backlog.css' %>
-  <%= javascript_include_tag url_for(:controller => '/rb_server_variables',
-                                     :action => 'show',
-                                     :project_id => @project,
-                                     authenticity_token: form_authenticity_token) %>
 <% end %>

 <div class='contextual'></div>
--- a/app/views/rb_taskboards/show.html.erb
+++ b/app/views/rb_taskboards/show.html.erb
@ -35,13 +35,8 @@ See doc/COPYRIGHT.rdoc for more details.
 ++#%>

 <% content_for :header_tags do %>
-<%= render :partial => 'shared/backlogs_header' %>
+  <%= render :partial => 'shared/backlogs_header' %>
  <%= stylesheet_link_tag 'backlogs/taskboard.css' %>
-  <%= javascript_include_tag url_for(:controller => 'rb_server_variables',
-                                     :action => 'show',
-                                     :project_id => @project,
-                                     :sprint_id => @sprint,
-                                     authenticity_token: form_authenticity_token) %>
 <% end %>

 <%= toolbar title: h(@sprint.name) do %>
--- a/app/views/shared/_backlogs_header.html.erb
+++ b/app/views/shared/_backlogs_header.html.erb
@ -36,3 +36,7 @@ See doc/COPYRIGHT.rdoc for more details.

 <%= stylesheet_link_tag 'backlogs/backlogs.css' %>
 <%= javascript_include_tag 'backlogs/backlogs.js' %>
+
+ <script type="text/javascript">
+   <%= render(partial: 'shared/server_variables.js.erb') %>
+ </script>
--- a/app/views/shared/_server_variables.js.erb
+++ b/app/views/shared/_server_variables.js.erb
@ -37,9 +37,6 @@ See doc/COPYRIGHT.rdoc for more details.
 RB.constants = {
  project_id: <%= @project.id %>,
  sprint_id: <%= @sprint ? @sprint.id : "null" %>,
-  protect_against_forgery: <%= protect_against_forgery? ? "true" : "false" %>,
-  request_forgery_protection_token: '<%= request_forgery_protection_token %>',
-  form_authenticity_token: '<%= form_authenticity_token %>'
 };

 RB.i18n = {
--- a/config/routes.rb
+++ b/config/routes.rb
@ -38,8 +38,6 @@ OpenProject::Application.routes.draw do
    scope 'projects/:project_id', as: 'project' do
      resources :backlogs,         controller: :rb_master_backlogs,  only: :index

-      resource :server_variables, controller: :rb_server_variables, only: :show, format: :js
-
      resources :sprints,          controller: :rb_sprints,          only: :update do
        resource :query,            controller: :rb_queries,          only: :show

--- a/features/common.feature
+++ b/features/common.feature
@ -73,7 +73,6 @@ Feature: Common

  Scenario: View the product backlog
     When I go to the master backlog
-      And I request the server_variables resource
     Then the request should complete successfully

  Scenario: View the product backlog without any stories
--- a/features/step_definitions/_when_steps.rb
+++ b/features/step_definitions/_when_steps.rb
@ -113,10 +113,6 @@ When /^I move the (\d+)(?:st|nd|rd|th) story to the (\d+|last)(?:st|nd|rd|th)? p
  ), prev: (prev.nil? ? '' : prev.text), '_method' => 'put'
 end

-When /^I request the server_variables resource$/ do
-  visit backlogs_project_server_variables_url(@project.id, format: 'js')
-end
-
 When /^I update the impediment$/ do
  page.driver.post backlogs_project_sprint_impediment_url(
    *@impediment_params.values_at('project_id', 'fixed_version_id', 'id')
--- a/lib/open_project/backlogs/engine.rb
+++ b/lib/open_project/backlogs/engine.rb
@ -67,7 +67,6 @@ module OpenProject::Backlogs
                                                   rb_wikis:            :show,
                                                   rb_stories:          [:index, :show],
                                                   rb_queries:          :show,
-                                                   rb_server_variables: :show,
                                                   rb_burndown_charts:  :show,
                                                   rb_export_card_configurations: [:index, :show]

@ -77,7 +76,6 @@ module OpenProject::Backlogs
                                                   rb_tasks:            [:index, :show],
                                                   rb_impediments:      [:index, :show],
                                                   rb_wikis:            :show,
-                                                   rb_server_variables: :show,
                                                   rb_burndown_charts:  :show,
                                                   rb_export_card_configurations: [:index, :show]

--- a/openproject-backlogs.gemspec
+++ b/openproject-backlogs.gemspec
@ -16,7 +16,7 @@ Gem::Specification.new do |s|
  s.test_files = Dir['spec/**/*']

  s.add_dependency  'rails', '~> 4.1.11'
-  s.add_dependency 'acts_as_silent_list'
+  s.add_dependency 'acts_as_silent_list', '~> 1.3.0'

  s.add_dependency 'openproject-pdf_export'

--- a/spec/routing/rb_server_variables_routing_spec.rb
+++ b/spec/routing/rb_server_variables_routing_spec.rb
@ -1,47 +0,0 @@
-#-- copyright
-# OpenProject Backlogs Plugin
-#
-# Copyright (C)2013-2014 the OpenProject Foundation (OPF)
-# Copyright (C)2011 Stephan Eckardt, Tim Felgentreff, Marnen Laibow-Koser, Sandro Munda
-# Copyright (C)2010-2011 friflaj
-# Copyright (C)2010 Maxime Guilbot, Andrew Vit, Joakim Kolsjö, ibussieres, Daniel Passos, Jason Vasquez, jpic, Emiliano Heyns
-# Copyright (C)2009-2010 Mark Maglana
-# Copyright (C)2009 Joe Heck, Nate Lowrie
-#
-# This program is free software; you can redistribute it and/or modify it under
-# the terms of the GNU General Public License version 3.
-#
-# OpenProject Backlogs is a derivative work based on ChiliProject Backlogs.
-# The copyright follows:
-# Copyright (C) 2010-2011 - Emiliano Heyns, Mark Maglana, friflaj
-# Copyright (C) 2011 - Jens Ulferts, Gregor Schmidt - Finn GmbH - Berlin, Germany
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-# See doc/COPYRIGHT.rdoc for more details.
-#++
-
-require 'spec_helper'
-
-describe RbServerVariablesController, type: :routing do
-  describe 'routing' do
-    it {
-      expect(get('/projects/project_42/server_variables.js')).to route_to(controller: 'rb_server_variables',
-                                                                          action: 'show',
-                                                                          format: 'js',
-                                                                          project_id: 'project_42')
-    }
-  end
-end