[Git][noosfero/noosfero][master] 2 commits: bugfix in xss permission - map in my_profile

[Bráulio Bhavamitra]

Bráulio Bhavamitra pushed to branch master at Noosfero / noosfero


Commits:
1cc1598d by Vinicius Brand at 2015-12-11T20:42:29Z
bugfix in xss permission - map in my_profile

- - - - -
7e75c5c5 by Bráulio Bhavamitra at 2015-12-11T22:49:34Z
Merge branch 'fix-maps-load2' into 'master'

bugfix in xss permission - map in my_profile

This fixes a bug that happens when loading the map in my_profile (probably started happening in rails 4):


An ActionController::InvalidCrossOriginRequest occurred in maps#google_map:

  Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
  actionpack (4.2.4) lib/action_controller/metal/request_forgery_protection.rb:225:in `verify_same_origin_request'

See merge request !746
- - - - -


1 changed file:

- app/controllers/my_profile/maps_controller.rb


Changes:

=====================================
app/controllers/my_profile/maps_controller.rb
=====================================
--- a/app/controllers/my_profile/maps_controller.rb
+++ b/app/controllers/my_profile/maps_controller.rb
@@ -1,5 +1,7 @@
 class MapsController < MyProfileController
 
+  skip_before_filter :verify_authenticity_token, only: [:google_map]
+
   protect 'edit_profile', :profile
 
   def edit_location



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/fd438e0dc3fec1fea96e733b9b435a9e165d48da...7e75c5c56956d41d0e94668f75c9e51f4f264c1f
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151211/166fda27/attachment.html>