controllers: return 400 instead of 403 for GET requests with body.

Fix for 3184e77de. Return 400 Bad Request instead of 403 Forbidden for GET requests with a body.
2022-09-22 00:57:17 -05:00
parent a229a6f5c4
commit 84ebef8c71
2 changed files with 4 additions and 4 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -118,12 +118,12 @@ class ApplicationController < ActionController::Base
      render_error_page(500, exception, template: "static/search_timeout", message: "The database timed out running your query.")
    when ActionController::BadRequest
      render_error_page(400, exception, message: exception.message)
+    when RequestBodyNotAllowedError
+      render_error_page(400, exception, message: "Request body not allowed for #{request.method} request")
    when SessionLoader::AuthenticationFailure
      render_error_page(401, exception, message: exception.message, template: "sessions/new")
    when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest, ActionController::Redirecting::UnsafeRedirectError
      render_error_page(403, exception, message: exception.message)
-    when RequestBodyNotAllowedError
-      render_error_page(403, exception, message: "Request body not allowed for #{request.method} request")
    when ActiveSupport::MessageVerifier::InvalidSignature, # raised by `find_signed!`
         User::PrivilegeError,
         Pundit::NotAuthorizedError
--- a/test/functional/application_controller_test.rb
+++ b/test/functional/application_controller_test.rb
@@ -10,10 +10,10 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
      assert_response 406
    end

-    should "return 403 Bad Request for a GET request with a body" do
+    should "return 400 Bad Request for a GET request with a body" do
      get root_path, headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" }, env: { RAW_POST_DATA: "tags=touhou" }

-      assert_response 403
+      assert_response 400
      assert_equal("ApplicationController::RequestBodyNotAllowedError", response.parsed_body["error"])
      assert_equal("Request body not allowed for GET request", response.parsed_body["message"])
    end