controllers: return 400 instead of 403 for GET requests with body.
Fix for 3184e77de. Return 400 Bad Request instead of 403 Forbidden for
GET requests with a body.
This commit is contained in:
evazion
@@ -118,12 +118,12 @@ class ApplicationController < ActionController::Base
|
|||||||
render_error_page(500, exception, template: "static/search_timeout", message: "The database timed out running your query.")
|
render_error_page(500, exception, template: "static/search_timeout", message: "The database timed out running your query.")
|
||||||
when ActionController::BadRequest
|
when ActionController::BadRequest
|
||||||
render_error_page(400, exception, message: exception.message)
|
render_error_page(400, exception, message: exception.message)
|
||||||
|
when RequestBodyNotAllowedError
|
||||||
|
render_error_page(400, exception, message: "Request body not allowed for #{request.method} request")
|
||||||
when SessionLoader::AuthenticationFailure
|
when SessionLoader::AuthenticationFailure
|
||||||
render_error_page(401, exception, message: exception.message, template: "sessions/new")
|
render_error_page(401, exception, message: exception.message, template: "sessions/new")
|
||||||
when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest, ActionController::Redirecting::UnsafeRedirectError
|
when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest, ActionController::Redirecting::UnsafeRedirectError
|
||||||
render_error_page(403, exception, message: exception.message)
|
render_error_page(403, exception, message: exception.message)
|
||||||
when RequestBodyNotAllowedError
|
|
||||||
render_error_page(403, exception, message: "Request body not allowed for #{request.method} request")
|
|
||||||
when ActiveSupport::MessageVerifier::InvalidSignature, # raised by `find_signed!`
|
when ActiveSupport::MessageVerifier::InvalidSignature, # raised by `find_signed!`
|
||||||
User::PrivilegeError,
|
User::PrivilegeError,
|
||||||
Pundit::NotAuthorizedError
|
Pundit::NotAuthorizedError
|
||||||
|
|||||||
@@ -10,10 +10,10 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
|
|||||||
assert_response 406
|
assert_response 406
|
||||||
end
|
end
|
||||||
|
|
||||||
should "return 403 Bad Request for a GET request with a body" do
|
should "return 400 Bad Request for a GET request with a body" do
|
||||||
get root_path, headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" }, env: { RAW_POST_DATA: "tags=touhou" }
|
get root_path, headers: { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" }, env: { RAW_POST_DATA: "tags=touhou" }
|
||||||
|
|
||||||
assert_response 403
|
assert_response 400
|
||||||
assert_equal("ApplicationController::RequestBodyNotAllowedError", response.parsed_body["error"])
|
assert_equal("ApplicationController::RequestBodyNotAllowedError", response.parsed_body["error"])
|
||||||
assert_equal("Request body not allowed for GET request", response.parsed_body["message"])
|
assert_equal("Request body not allowed for GET request", response.parsed_body["message"])
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user