Extract form_authenticity_param instance method so it's overridable in subclasses

2 files changed, 24 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 113c20a758..173df79ee7 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -101,6 +101,11 @@ module ActionController #:nodoc:
         session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
       end
 
+      # The form's authenticity parameter. Override to provide your own.
+      def form_authenticity_param
+        params[request_forgery_protection_token]
+      end
+
       def protect_against_forgery?
         allow_forgery_protection
       end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 7111796f8d..3e54ae96c5 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -18,7 +18,7 @@ module RequestForgeryProtectionActions
   def unsafe
     render :text => 'pwn'
   end
-  
+
   def rescue_action(e) raise e end
 end
 
@@ -40,6 +40,13 @@ class FreeCookieController < RequestForgeryProtectionController
   end
 end
 
+class CustomAuthenticityParamController < RequestForgeryProtectionController
+  def form_authenticity_param
+    'foobar'
+  end
+end
+
+
 # common test methods
 
 module RequestForgeryProtectionTests
@@ -241,3 +248,14 @@ class FreeCookieControllerTest < ActionController::TestCase
     end
   end
 end
+
+class CustomAuthenticityParamControllerTest < ActionController::TestCase
+  def setup
+    ActionController::Base.request_forgery_protection_token = :authenticity_tok
+  end
+
+  def test_should_allow_custom_token
+    post :index, :authenticity_token => 'foobar'
+    assert_response :ok
+  end
+end