From 2a27afc6561390fb1dc024a3f09070df88ef6389 Mon Sep 17 00:00:00 2001
From: Patrick Figel <patrick@figel.email>
Date: Mon, 15 Jan 2018 06:51:23 +0100
Subject: [PATCH] Suppress CSRF token warnings (#6240)

CSRF token checking was enabled for API controllers in #6223,
producing "Can't verify CSRF token authenticity" log spam. This
disables logging of failed CSRF checks.

This also changes the protection strategy for
PushSubscriptionsController to use exceptions, making it consistent
with other controllers that use sessions.
---
 app/controllers/api/web/push_subscriptions_controller.rb | 1 +
 config/initializers/suppress_csrf_warnings.rb            | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 config/initializers/suppress_csrf_warnings.rb

diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb
index 52e250d02d..68ccbd5e20 100644
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@@ -4,6 +4,7 @@ class Api::Web::PushSubscriptionsController < Api::BaseController
   respond_to :json
 
   before_action :require_user!
+  protect_from_forgery with: :exception
 
   def create
     params.require(:subscription).require(:endpoint)
diff --git a/config/initializers/suppress_csrf_warnings.rb b/config/initializers/suppress_csrf_warnings.rb
new file mode 100644
index 0000000000..410ab585b4
--- /dev/null
+++ b/config/initializers/suppress_csrf_warnings.rb
@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+ActionController::Base.log_warning_on_csrf_failure = false