Modification Routes Error With No Auth
DonovanDMC opened this issue · comments
I'm not seeing why this should be any different than all other pages. Could you give it a try with removing the detect_xhr
before_action
in the controller?
Same issue with that removed
Eh, alright. I'll take a look at this when I get rid of the old iqdb implementation, or give this a shot yourself (if you want)
Works just fine with a GET request, however.
Well, I have figured it out. This does happen in the other routes, POST /wiki_pages.json
and POST /uploads.json
for example, routes I tested and saw the same. So it's more, csrf being checked if api authentication isn't present, even if the response format is json. If the CSRF check didn't happen, the expected Access Denied response would be returned (on other routes, you'd get through fine here)
Though IQDB specifically, I'm seeing a plain null
returned when not providing any parameters. That's probably something that should be changed to the relevant format for each, or return an error.
Works just fine with a GET request, however.
CSRF protection is disabled for GET requests.
I don't really feel like touching this:
The easiest solution to me is changing the error from unexpetect to expected with som nice message:
e621ng/app/controllers/application_controller.rb
Lines 68 to 69 in edae5a6
I don't really feel like touching this:
I really don't blame you there
The easiest solution to me is changing the error from unexpetect to expected with som nice message:
Having a proper error message there would be nice, so we at least know what's happening
Though for IQDB specifically, is there really a reason for it to have csrf protection? I'm sure it's a default of forms and not a deliberate decision, but surely it could be disabled on that route. I can't see any reason for it to require csrf protection besides maybe mitigating spam by unauthenticatrd users, and that's shaky at best.
IQDB is already rate limited to 1 request every 2 seconds for everyone. This endpoint really should be GET
but you must also be able to upload files. There should be something I can use to skip CSRF per controller. Just putting skip_forgery_protection
in it seems like it should do the job just fine
This endpoint really should be
GET
but you must also be able to upload files.
I honestly didn't even know it could be a get until faucet mentioned it. I was specifically uploading a file though when testing.