resolve_controller.rb in umlaut-3.1.1

- old
+ new

@@ -3,10 +3,16 @@
 # parameter umlaut.request_id=[some id] to hook up to a pre-existing
 # umlaut request (that presumably was an OpenURL).
 class ResolveController < UmlautController
   before_filter :init_processing
 
+  # We need to NOT require a CSRF token on post to #index,
+  # to allow POSTed OpenURLs
+  protect_from_forgery :except => :index
+  # POST'ed OpenURLs are a mess, redirect them to GETs
+  before_filter :post_to_get, :only => :index
+
   # Init processing will look at this list, and for actions mentioned,
   # will not create a @user_request if an existing one can't be found.
   # Used for actions meant only to deal with existing requests.
   @@no_create_request_actions = ['background_update']
   after_filter :save_request
@@ -127,16 +133,24 @@
     render(:template => "error/resolve_error", :status => 500 )
   end
 
   protected
 
+  def post_to_get
+    if request.method == "POST"
+      redirect_to url_for(params)
+    end
+  end
+
   # Retrives or sets up the relevant Umlaut Request, and returns it.
-  def init_processing
+  def init_processing    
     # intentionally trigger creation of session if it didn't already exist
     # because we need to track session ID for caching. Can't find any
     # way to force session creation without setting a value in session,
     # so we do this weird one.
     session[nil] = nil
+
+
 
     # We have to clean the params of bad char encoding bytes, or it causes
     # no end of problems later. We can't just refuse to process, sources
     # do send us bad bytes, I'm afraid.
     params.values.each do |v|
\ No newline at end of file