webservice_controller.rb in scrivito_sdk-1.3.0.rc1

- old
+ new

@@ -5,13 +5,24 @@
     @error = error
     @timestamp = Time.zone.now
     render 'scrivito/webservice/error', formats: :json, status: error.http_code
   end
 
+  before_filter :verify_authenticity_token_for_every_request
   before_filter :merge_correctly_parsed_json_params
   before_filter :authorize
 
   private
+
+  # similar to Rails' verify_authenticity_token, but also protects GET and HEAD
+  def verify_authenticity_token_for_every_request
+    # don't check in test environment
+    return unless protect_against_forgery?
+
+    unless valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
+      raise ActionController::InvalidAuthenticityToken
+    end
+  end
 
   def authorize
     render_forbidden unless allow_access?
   end
 