[Security] Fixes CSRF vulnerability, introduced by 53eef4f

Reported by SourceClear, Inc.

Author: mshibuya

app/controllers/rails_admin/application_controller.rb

@@ -11,6 +11,8 @@ class ActionNotAllowed < ::StandardError
   end
 
   class ApplicationController < Config.parent_controller.constantize
+    protect_from_forgery with: :exception
+
     before_action :_authenticate!
     before_action :_authorize!
     before_action :_audit!

spec/integration/rails_admin_spec.rb

@@ -148,4 +148,17 @@
       is_expected.to have_selector('.label-danger')
     end
   end
+
+  describe 'CSRF protection' do
+    before do
+      allow_any_instance_of(ActionController::Base).to receive(:protect_against_forgery?).and_return(true)
+    end
+
+    it 'is enforced' do
+      visit new_path(model_name: 'league')
+      fill_in 'league[name]', with: 'National league'
+      find('input[name="authenticity_token"]', visible: false).set("invalid token")
+      expect { click_button 'Save' }.to raise_error ActionController::InvalidAuthenticityToken
+    end
+  end
 end