From b8b7cd99bd9b43a04e37e8bc1258b34f78f48289 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Tue, 4 Oct 2022 14:47:17 +0200
Subject: [PATCH] SubmissionsController: Allow JS to be "rendered"

We skip verifying the authenticity token for the action, to prevent raising a `ActionController::InvalidCrossOriginRequest` exception.
---
 app/controllers/submissions_controller.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
index 618ed5f7..d57ff6a3 100644
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -15,8 +15,9 @@ class SubmissionsController < ApplicationController
   # Overwrite the CSP header and some default actions for the :render_file action
   content_security_policy false, only: :render_file
   skip_before_action :deny_access_from_render_host, only: :render_file
-  skip_before_action :verify_authenticity_token, only: :render_file
   before_action :require_user!, except: :render_file
+  # We want to serve .js files without raising a `ActionController::InvalidCrossOriginRequest` exception
+  skip_before_action :verify_authenticity_token, only: %i[render_file download_file]
 
   def create
     @submission = Submission.new(submission_params)