From 4d49266f0fe5626ec9cff004b155690a7e6f7ee2 Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Thu, 10 Nov 2022 13:01:48 +1100
Subject: [PATCH] Allow updates just with auth token

Rails usually requires an additional CSRF protection token but when it's
not present we ignore the user's session and use only the OIDC auth
token.
---
 .../app/controllers/dfc_provider/base_controller.rb             | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb b/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb
index 48b4d0e53c..bcee581836 100644
--- a/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb
+++ b/engines/dfc_provider/app/controllers/dfc_provider/base_controller.rb
@@ -3,6 +3,8 @@
 # Controller used to provide the API products for the DFC application
 module DfcProvider
   class BaseController < ActionController::Base
+    protect_from_forgery with: :null_session
+
     rescue_from ActiveRecord::RecordNotFound, with: :not_found
 
     before_action :check_authorization