aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLisa Ugray <lisa.ugray@shopify.com>2017-07-10 15:44:12 -0400
committerLisa Ugray <lisa.ugray@shopify.com>2017-07-10 16:23:48 -0400
commit73b944eca721be750e1263c15d221f153d1396d0 (patch)
tree4f873f87925fbeb931bf580bf24d10e6e210d7fe
parentec4a836919c021c0a5cf9ebeebb4db5e02104a55 (diff)
downloadrails-73b944eca721be750e1263c15d221f153d1396d0.tar.gz
rails-73b944eca721be750e1263c15d221f153d1396d0.tar.bz2
rails-73b944eca721be750e1263c15d221f153d1396d0.zip
Add ActionController::Base.skip_forgery_protection
Since we now default to `protect_from_forgery with: :exception`, provide a wrapper to `skip_before_action :verify_authenticity_token` for disabling forgery protection.
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb9
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb30
2 files changed, 39 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 117dee2219..027dae60fa 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -132,6 +132,15 @@ module ActionController #:nodoc:
append_after_action :verify_same_origin_request
end
+ # Turn off request forgery protection. This is a wrapper for:
+ #
+ # skip_before_action :verify_authenticity_token
+ #
+ # See +skip_before_action+ for allowed options.
+ def skip_forgery_protection(options = {})
+ skip_before_action :verify_authenticity_token, options
+ end
+
private
def protection_method_class(name)
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 521d93f02e..4d441ab1a9 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -163,6 +163,13 @@ class PerFormTokensController < ActionController::Base
end
end
+class SkipProtectionController < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery with: :exception
+ skip_forgery_protection if: :skip_requested
+ attr_accessor :skip_requested
+end
+
# common test methods
module RequestForgeryProtectionTests
def setup
@@ -964,3 +971,26 @@ class PerFormTokensControllerTest < ActionController::TestCase
assert_equal expected, actual
end
end
+
+class SkipProtectionControllerTest < ActionController::TestCase
+ def test_should_not_allow_post_without_token_when_not_skipping
+ @controller.skip_requested = false
+ assert_blocked { post :index }
+ end
+
+ def test_should_allow_post_without_token_when_skipping
+ @controller.skip_requested = true
+ assert_not_blocked { post :index }
+ end
+
+ def assert_blocked
+ assert_raises(ActionController::InvalidAuthenticityToken) do
+ yield
+ end
+ end
+
+ def assert_not_blocked
+ assert_nothing_raised { yield }
+ assert_response :success
+ end
+end