raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-01-25 20:46:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2fdb1861a6ff097b2ddbb5d646ca799269196128
openfoodnetwork/app/controllers/enterprises_controller.rb
Matt-Yorkley f1002b953d Disable Javascript CSRF protection on EnterprisesController#check_permalink route 
This route checks if an enterprise permalink is taken or not. Allowing the route to be accessed via Javascript without strict CSRF protection is reasonable. Fixes the following errors:

ActionController::InvalidCrossOriginRequest: Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
2020-11-27 13:59:46 +00:00

83 lines
2.2 KiB
Ruby
Raw Blame History

require 'open_food_network/enterprise_injection_data'
class EnterprisesController < BaseController
layout "darkswarm"
helper Spree::ProductsHelper
include OrderCyclesHelper
include SerializerHelper
protect_from_forgery except: :check_permalink
# These prepended filters are in the reverse order of execution
prepend_before_action :set_order_cycles, :require_distributor_chosen, :reset_order, only: :shop
before_action :clean_permalink, only: :check_permalink
before_action :enable_embedded_shopfront
respond_to :js, only: :permalink_checker
def shop
return redirect_to main_app.cart_path unless enough_stock?
set_noindex_meta_tag
@enterprise = current_distributor
end
def relatives
set_enterprise
respond_to do |format|
format.json do
enterprises = @enterprise.andand.relatives.andand.activated
render(json: enterprises,
each_serializer: Api::EnterpriseSerializer,
data: OpenFoodNetwork::EnterpriseInjectionData.new)
end
end
end
def check_permalink
if Enterprise.find_by permalink: params[:permalink]
render(text: params[:permalink], status: :conflict) && return
end
begin
Rails.application.routes.recognize_path( "/#{params[:permalink]}" )
render text: params[:permalink], status: :conflict
rescue ActionController::RoutingError
render text: params[:permalink], status: :ok
end
end
private
def set_enterprise
@enterprise = Enterprise.find_by(id: params[:id])
end
def clean_permalink
params[:permalink] = params[:permalink].parameterize
end
def enough_stock?
current_order(true).insufficient_stock_lines.blank?
end
def reset_order
order = current_order(true)
# reset_distributor must be called before any call to current_customer or current_distributor
order_cart_reset = OrderCartReset.new(order, params[:id])
order_cart_reset.reset_distributor
order_cart_reset.reset_other!(spree_current_user, current_customer)
rescue ActiveRecord::RecordNotFound
flash[:error] = I18n.t(:enterprise_shop_show_error)
redirect_to shops_path
end
def set_noindex_meta_tag
@noindex_meta_tag = true unless current_distributor.visible?
end
end
Reference in New Issue View Git Blame Copy Permalink