diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-02-22 18:40:48 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-02-22 18:40:48 -0300 |
| commit | 1358fce5aa77982b8b7eabcad959e1799d420a2b (patch) | |
| tree | 4ecab9fc7478b14d63abeb907a9e52a725fc5b15 | |
| parent | c57e7239a8b82957bcb07534cb7c1a3dcef71864 (diff) | |
| download | rails-1358fce5aa77982b8b7eabcad959e1799d420a2b.tar.gz rails-1358fce5aa77982b8b7eabcad959e1799d420a2b.tar.bz2 rails-1358fce5aa77982b8b7eabcad959e1799d420a2b.zip | |
Make per form token work when method is not provided
When `button_to 'Botton', url` form was being used the per form token
was not correct because the method that is was being used to generate it
was an empty string.
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 18 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/url_helper.rb | 3 |
2 files changed, 18 insertions, 3 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index c645af88d7..f7dcbc1984 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -133,11 +133,11 @@ class PerFormTokensController < ActionController::Base self.per_form_csrf_tokens = true def index - render inline: "<%= form_tag (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>" + render inline: "<%= form_tag (params[:form_path] || '/per_form_tokens/post_one'), method: params[:form_method] %>" end def button_to - render inline: "<%= button_to 'Button', (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>" + render inline: "<%= button_to 'Button', (params[:form_path] || '/per_form_tokens/post_one'), method: params[:form_method] %>" end def post_one @@ -710,6 +710,20 @@ class PerFormTokensControllerTest < ActionController::TestCase end end + test "Accepts proper token for implicit post method on button_to tag" do + get :button_to + + form_token = assert_presence_and_fetch_form_csrf_token + + assert_matches_session_token_on_server form_token, 'post' + + # This is required because PATH_INFO isn't reset between requests. + @request.env['PATH_INFO'] = '/per_form_tokens/post_one' + assert_nothing_raised do + post :post_one, params: { custom_authenticity_token: form_token } + end + end + %w{delete post patch}.each do |verb| test "Accepts proper token for #{verb} method on button_to tag" do get :button_to, params: { form_method: verb } diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 2454ed4ed4..ab67923376 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -312,7 +312,8 @@ module ActionView form_options[:'data-remote'] = true if remote request_token_tag = if form_method == 'post' - token_tag(nil, form_options: { action: url, method: method }) + request_method = method.empty? ? 'post' : method + token_tag(nil, form_options: { action: url, method: request_method }) else '' end |