resolve_controller.rb in umlaut-4.0.0.beta5

- old
+ new

@@ -1,15 +1,17 @@
 # Requests to the Resolve controller are OpenURLs.
 # There is one exception: Instead of an OpenURL, you can include the
 # parameter umlaut.request_id=[some id] to hook up to a pre-existing
 # umlaut request (that presumably was an OpenURL).
 class ResolveController < UmlautController
-  before_filter :init_processing
+  # These methods are meant as API called from other sites via Javascript
+  # with JS responses. We don't want Rails to keep it from happening. 
+  # http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
+  skip_before_filter :verify_authenticity_token, only: [:index, :background_status, :partial_html_sections, :api]
 
-  # We need to NOT require a CSRF token on post to #index,
-  # to allow POSTed OpenURLs
-  protect_from_forgery :except => :index
+  before_filter :init_processing
+  
   # POST'ed OpenURLs are a mess, redirect them to GETs
   before_filter :post_to_get, :only => :index
 
   # Init processing will look at this list, and for actions mentioned,
   # will not create a @user_request if an existing one can't be found.
@@ -140,10 +142,10 @@
 
     # We have to clean the params of bad char encoding bytes, or it causes
     # no end of problems later. We can't just refuse to process, sources
     # do send us bad bytes, I'm afraid.
     params.values.each do |v|
-      v.scrub!
+      v.scrub! if v.respond_to?(:'scrub!')
     end
     # Create an UmlautRequest object.
     options = {}
     if (  @@no_create_request_actions.include?(params[:action])  )
       options[:allow_create] = false
\ No newline at end of file