Protect upmin controllers from CSRF attacks

upmin / upmin-admin-ruby

Framework for creating powerful admin backends with minimal effort in Ruby on Rails.

MIT License

757 stars 66 forks source link

Protect upmin controllers from CSRF attacks #178

Closed jsyeo closed 8 years ago

jsyeo commented 8 years ago

Both DashboardController and ModelsController inherit from ApplicationController and it is a direct subclass of ActionController::Base, but it doesn't call protect_from_forgery to turn on CSRF protection. Thus all the controllers in upmin are potentially vulnerable to CSRF attacks. This PR inserts a call in upmin's ApplicationController to turn on CSRF verification in the application.

mbrookes commented 8 years ago

Upmin is no longer maintained, you might want to look at https://github.com/thoughtbot/administrate instead.

If you're actively using Upmin, and wish to take over development, I"m sure the owner would be open to it.

jsyeo commented 8 years ago

@mbrookes yep, I am aware of that. I am just submitting this PR just in case there are people still using upmin. Do note that the maintainer announced that he is no longer maintaining this only just five months ago.

mbrookes commented 8 years ago

Just saying. :smile: I'll merge without review, but it's unlikely to get published.

jsyeo commented 8 years ago

Thanks! dance