Fix some user-independent endpoints potentially reading session cookies (#24650)

2025-12-15 08:48:53 +00:00 · 2023-04-25 22:14:44 +02:00
parent 276c39361b
commit 1419f90ef2
6 changed files with 32 additions and 0 deletions
--- a/app/controllers/manifests_controller.rb
+++ b/app/controllers/manifests_controller.rb
@@ -1,6 +1,10 @@
 # frozen_string_literal: true

 class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController
+  # Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
+  # and thus re-issuing session cookies
+  serialization_scope nil
+
  def show
    expires_in 3.minutes, public: true
    render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance'