Skip CSRF protection in Generic Alerts Endpoint

Public API endpoints doesn't need to have CSRF protection

Skip CSRF protection in Generic Alerts Endpoint
Public API endpoints doesn't need to have CSRF protection
0f832a56 · Vitali Tatarintev · Peter Leitzen · 72e1c25a · 0f832a56 · 0f832a56
Commit 0f832a56 authored Sep 30, 2019 by Vitali Tatarintev Committed by Peter Leitzen Sep 30, 2019
2 changed files
--- a/ee/app/controllers/projects/alerting/notifications_controller.rb
+++ b/ee/app/controllers/projects/alerting/notifications_controller.rb
@@ -5,6 +5,7 @@ module Projects
    class NotificationsController < Projects::ApplicationController
      respond_to :json

+      skip_before_action :verify_authenticity_token
      skip_before_action :project

      prepend_before_action :repository, :project_without_auth

--- a/ee/spec/controllers/projects/alerting/notifications_controller_spec.rb
+++ b/ee/spec/controllers/projects/alerting/notifications_controller_spec.rb
@@ -10,6 +10,10 @@ describe Projects::Alerting::NotificationsController do
    let(:service_response) { ServiceResponse.success }
    let(:notify_service) { instance_double(Projects::Alerting::NotifyService, execute: service_response) }

+    around do |example|
+      ForgeryProtection.with_forgery_protection { example.run }
+    end
+
    before do
      allow(Projects::Alerting::NotifyService).to receive(:new).and_return(notify_service)
    end