diff options
| author | Ross Kaffenburger and Bryan Helmkamp <developers@weplay.com> | 2009-03-04 16:05:15 -0500 |
|---|---|---|
| committer | Carl Lerche & Yehuda Katz <wycats@gmail.com> | 2009-04-15 16:04:21 -0700 |
| commit | 256b0ee8e3c1610967dfc89f864e24b98ed3c236 (patch) | |
| tree | 057ef8c74d5aeaf964dd7a1743359a758c1bbf7a | |
| parent | 3c1187699a80e0c4a003f5693389595cd644390f (diff) | |
| download | rails-256b0ee8e3c1610967dfc89f864e24b98ed3c236.tar.gz rails-256b0ee8e3c1610967dfc89f864e24b98ed3c236.tar.bz2 rails-256b0ee8e3c1610967dfc89f864e24b98ed3c236.zip | |
Don't check authenticity tokens for any AJAX requests
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/base/request_forgery_protection.rb | 3 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 11 |
3 files changed, 10 insertions, 6 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 11ee1c1059..204f5ae272 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -7,6 +7,8 @@ * Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #<Post:0x23150b8>") [DHH] +* Don't check authenticity tokens for any AJAX requests [Ross Kaffenberger/Bryan Helmkamp] + * Added ability to pass in :public => true to fresh_when, stale?, and expires_in to make the request proxy cachable #2095 [Gregg Pollack] * Fixed that passing a custom form builder would be forwarded to nested fields_for calls #2023 [Eloy Duran/Nate Wiger] diff --git a/actionpack/lib/action_controller/base/request_forgery_protection.rb b/actionpack/lib/action_controller/base/request_forgery_protection.rb index f3e6288c26..3067122ceb 100644 --- a/actionpack/lib/action_controller/base/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb @@ -81,12 +81,13 @@ module ActionController #:nodoc: # Returns true or false if a request is verified. Checks: # - # * is the format restricted? By default, only HTML and AJAX requests are checked. + # * is the format restricted? By default, only HTML requests are checked. # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given token value from the params? def verified_request? !protect_against_forgery? || request.method == :get || + request.xhr? || !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 835e73e3ab..83925ed4db 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -151,14 +151,10 @@ module RequestForgeryProtectionTests delete :index, :format => 'xml' end end - + def test_should_allow_xhr_post_without_token assert_nothing_raised { xhr :post, :index } end - def test_should_not_allow_xhr_post_with_html_without_token - @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s - assert_raise(ActionController::InvalidAuthenticityToken) { xhr :post, :index } - end def test_should_allow_xhr_put_without_token assert_nothing_raised { xhr :put, :index } @@ -168,6 +164,11 @@ module RequestForgeryProtectionTests assert_nothing_raised { xhr :delete, :index } end + def test_should_allow_xhr_post_with_encoded_form_content_type_without_token + @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s + assert_nothing_raised { xhr :post, :index } + end + def test_should_allow_post_with_token post :index, :authenticity_token => @token assert_response :success |