Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8245 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

3 files changed, 31 insertions, 6 deletions

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 0155731943..04e212f7dc 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,3 +1,8 @@
+*SVN*
+
+* Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH]
+
+
 *2.0.0 [RC2]* (November 28th, 2007)
 
 * Raise UnknownHttpMethod exception for unknown HTTP methods. Closes #10303 [tarmo]
diff --git a/actionpack/lib/action_controller/verification.rb b/actionpack/lib/action_controller/verification.rb
index 8550f24526..e5045fba7c 100644
--- a/actionpack/lib/action_controller/verification.rb
+++ b/actionpack/lib/action_controller/verification.rb
@@ -12,7 +12,8 @@ module ActionController #:nodoc:
     # parameters being set, or without certain session values existing.
     #
     # When a verification is violated, values may be inserted into the flash, and
-    # a specified redirection is triggered.
+    # a specified redirection is triggered. If no specific action is configured,
+    # verification failures will by default result in a 400 Bad Request response.
     #
     # Usage:
     #
@@ -81,7 +82,7 @@ module ActionController #:nodoc:
       prereqs_invalid =
         [*options[:params] ].find { |v| params[v].nil?  } ||
         [*options[:session]].find { |v| session[v].nil? } ||
-        [*options[:flash]  ].find { |v| flash[v].nil?    }
+        [*options[:flash]  ].find { |v| flash[v].nil?   }
       
       if !prereqs_invalid && options[:method]
         prereqs_invalid ||= 
@@ -93,13 +94,21 @@ module ActionController #:nodoc:
       if prereqs_invalid
         flash.update(options[:add_flash]) if options[:add_flash]
         response.headers.update(options[:add_headers]) if options[:add_headers]
+
         unless performed?
-          render(options[:render]) if options[:render]
-          options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a? Symbol
-          redirect_to(options[:redirect_to]) if options[:redirect_to]
+          case
+          when options[:render]
+            render(options[:render])
+          when options[:redirect_to]
+            options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a?(Symbol)
+            redirect_to(options[:redirect_to])
+          else
+            head(:bad_request)
+          end
         end
       end
     end
+
     private :verify_action
   end
-end
+end
\ No newline at end of file
diff --git a/actionpack/test/controller/verification_test.rb b/actionpack/test/controller/verification_test.rb
index bbcd7d59d8..e61bd5cccb 100644
--- a/actionpack/test/controller/verification_test.rb
+++ b/actionpack/test/controller/verification_test.rb
@@ -37,6 +37,8 @@ class VerificationTest < Test::Unit::TestCase
     verify :only => :guarded_one_for_named_route_test, :params => "one",
            :redirect_to => :foo_url
 
+    verify :only => :no_default_action, :params => "santa"
+
     def guarded_one
       render :text => "#{params[:one]}"
     end
@@ -89,6 +91,10 @@ class VerificationTest < Test::Unit::TestCase
       render :text => "Was a post!"
     end
     
+    def no_default_action
+      # Will never run
+    end
+    
     protected
       def rescue_action(e) raise end
 
@@ -229,6 +235,11 @@ class VerificationTest < Test::Unit::TestCase
     assert_equal "Was a post!", @response.body
   end
     
+  def test_default_failure_should_be_a_bad_request
+    post :no_default_action
+    assert_response :bad_request
+  end
+    
   def test_guarded_post_and_calls_render_fails_and_sets_allow_header
     get :must_be_post
     assert_response 405