From 806b6c5d9df5ef1b4a23a25b321d76e524d28fb0 Mon Sep 17 00:00:00 2001
From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Date: Sun, 3 May 2026 05:11:07 -0700
Subject: [PATCH] Use protect_from_forgery with: :exception (#6920)

CodeQL alert #60 (rb/csrf-protection-disabled, CWE-352): calling
protect_from_forgery with no with: argument downgrades the failure
mode to with: :null_session, weaker than the Rails 5+ default of
with: :exception that ActionController::Base would otherwise apply.

Make the strategy explicit so the call no longer weakens the default,
matching option 2 from the issue (more self-documenting than removing
the call entirely).
---
 app/controllers/application_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 811e48f9fc..6b14da7b6a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -4,7 +4,7 @@ class ApplicationController < ActionController::Base
   include Organizational
   include Users::TimeZone
 
-  protect_from_forgery
+  protect_from_forgery with: :exception
   before_action :store_user_location!, if: :storable_location?
   before_action :authenticate_user!
   before_action :set_current_user