Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Fix anonymous visitors getting a session cookie on first visit (#24584)

Browse source
This commit is contained in:
Claire 2023-04-25 16:51:38 +02:00 committed by GitHub
parent 6084461cd0
commit 276c39361b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 64 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

1
app/controllers/api/base_controller.rb
View file

@ -8,7 +8,6 @@ class Api::BaseController < ApplicationController
include AccessTokenTrackingConcern
include ApiCachingConcern
skip_before_action :store_current_location
skip_before_action :require_functional!, unless: :whitelist_mode?
before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?

18
app/controllers/application_controller.rb
View file

@ -20,6 +20,7 @@ class ApplicationController < ActionController::Base
helper_method :sso_account_settings
helper_method :whitelist_mode?
helper_method :body_class_string
helper_method :skip_csrf_meta_tags?
rescue_from ActionController::ParameterMissing, Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
rescue_from Mastodon::NotPermittedError, with: :forbidden
@ -36,7 +37,7 @@ class ApplicationController < ActionController::Base
service_unavailable
end
before_action :store_current_location, except: :raise_not_found, unless: :devise_controller?
before_action :store_referrer, except: :raise_not_found, if: :devise_controller?
before_action :require_functional!, if: :user_signed_in?
before_action :set_cache_control_defaults
@ -57,14 +58,25 @@ class ApplicationController < ActionController::Base
!authorized_fetch_mode?
end
def store_current_location
store_location_for(:user, request.url) unless [:json, :rss].include?(request.format&.to_sym)
def store_referrer
return if request.referer.blank?
redirect_uri = URI(request.referer)
return if redirect_uri.path.start_with?('/auth')
stored_url = redirect_uri.to_s if redirect_uri.host == request.host && redirect_uri.port == request.port
store_location_for(:user, stored_url)
end
def require_functional!
redirect_to edit_user_registration_path unless current_user.functional?
end
def skip_csrf_meta_tags?
false
end
def after_sign_out_path_for(_resource_or_scope)
if ENV['OMNIAUTH_ONLY'] == 'true' && ENV['OIDC_ENABLED'] == 'true'
'/auth/auth/openid_connect/logout'

4
app/controllers/concerns/web_app_controller_concern.rb
View file

@ -10,6 +10,10 @@ module WebAppControllerConcern
vary_by 'Accept, Accept-Language, Cookie'
end
def skip_csrf_meta_tags?
current_user.nil?
end
def set_app_body_class
@body_classes = 'app-body'
end

1
app/controllers/media_controller.rb
View file

@ -3,7 +3,6 @@
class MediaController < ApplicationController
include Authorization
skip_before_action :store_current_location
skip_before_action :require_functional!, unless: :whitelist_mode?
before_action :authenticate_user!, if: :whitelist_mode?

1
app/controllers/media_proxy_controller.rb
View file

@ -6,7 +6,6 @@ class MediaProxyController < ApplicationController
include Redisable
include Lockable
skip_before_action :store_current_location
skip_before_action :require_functional!
before_action :authenticate_user!, if: :whitelist_mode?