diff --git a/api/app/controllers/spree/api/base_controller.rb b/api/app/controllers/spree/api/base_controller.rb index 2f1c937ddb2..d390a89c732 100644 --- a/api/app/controllers/spree/api/base_controller.rb +++ b/api/app/controllers/spree/api/base_controller.rb @@ -7,6 +7,7 @@ module Api class BaseController < ActionController::Base self.responder = Spree::Api::Responders::AppResponder respond_to :json + protect_from_forgery unless: -> { request.format.json? } include CanCan::ControllerAdditions include Spree::Core::ControllerHelpers::Store diff --git a/backend/spec/features/admin/orders/payments_spec.rb b/backend/spec/features/admin/orders/payments_spec.rb index 039afa3d664..5e5a931ab4c 100644 --- a/backend/spec/features/admin/orders/payments_spec.rb +++ b/backend/spec/features/admin/orders/payments_spec.rb @@ -22,7 +22,7 @@ end # Regression tests for https://github.com/spree/spree/issues/1453 - context 'with a check payment' do + context 'with a check payment', js: true do let(:order) { create(:completed_order_with_totals, number: 'R100') } let!(:payment) do create(:payment, @@ -205,7 +205,7 @@ visit spree.admin_order_payments_path(order.reload) end - it "can successfully be created and captured" do + it "can successfully be created and captured", js: true do click_on 'Update' expect(page).to have_content("Payment has been successfully created!") click_icon(:capture) diff --git a/core/lib/generators/spree/dummy/templates/rails/test.rb b/core/lib/generators/spree/dummy/templates/rails/test.rb index 5dab451bee8..ab8d005dab6 100644 --- a/core/lib/generators/spree/dummy/templates/rails/test.rb +++ b/core/lib/generators/spree/dummy/templates/rails/test.rb @@ -20,9 +20,6 @@ # Raise exceptions instead of rendering exception templates config.action_dispatch.show_exceptions = false - # Disable request forgery protection in test environment - config.action_controller.allow_forgery_protection = false - # Tell Action Mailer not to deliver emails to the real world. # The :test delivery method accumulates sent emails in the # ActionMailer::Base.deliveries array. diff --git a/core/lib/spree/testing_support/dummy_app.rb b/core/lib/spree/testing_support/dummy_app.rb index 6d5651c7525..ffb4d327935 100644 --- a/core/lib/spree/testing_support/dummy_app.rb +++ b/core/lib/spree/testing_support/dummy_app.rb @@ -12,9 +12,16 @@ require 'solidus_core' +# @private +def forgery_protected_by_default? + Gem::Version.new(Rails.version) >= Gem::Version.new('5.2') +end + # @private class ApplicationController < ActionController::Base - protect_from_forgery with: :exception + if !forgery_protected_by_default? + protect_from_forgery with: :exception + end end # @private @@ -50,14 +57,18 @@ class Application < ::Rails::Application config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' } config.whiny_nils = true config.consider_all_requests_local = true + config.action_controller.allow_forgery_protection = true config.action_controller.perform_caching = false config.action_dispatch.show_exceptions = false config.active_support.deprecation = :stderr config.action_mailer.delivery_method = :test - config.action_controller.allow_forgery_protection = false config.active_support.deprecation = :stderr config.secret_key_base = 'SECRET_TOKEN' + if forgery_protected_by_default? + config.action_controller.default_protect_from_forgery = true + end + if config.active_record.sqlite3 # Rails >= 5.2 config.active_record.sqlite3.represent_boolean_as_integer = true