mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-16 20:50:43 +09:00
49f06d0b22
- Including Authentication re-arms protect_from_forgery on DiskController.
Active Storage's direct-upload service PUT (#update) sends only signed
service headers and no CSRF token, so a real authenticated upload would
422 storing bytes. Re-exempt #update from forgery protection; the signed
URL token and session check still gate the write.
- Swap the raw skip_before_action for the Authentication concern's
intent-revealing allow_unauthenticated_access / allow_bot_access helpers
on #show, matching the rest of the app.
- Scope the test's ActiveStorage::Current.url_options override to a
set { } block so it can't leak thread-local state into later tests.