diff options
author | rick <rick@spacemonkey.local> | 2008-05-13 09:41:10 -0700 |
---|---|---|
committer | rick <rick@spacemonkey.local> | 2008-05-13 09:41:10 -0700 |
commit | 74fd17346f30fddba0e174ae17f5697f2c22279e (patch) | |
tree | 1267cea613ee4a73a2f5ddf3fb24d224dc8bbded /actionpack/lib/action_controller/request_forgery_protection.rb | |
parent | d09a8446d5606a5a0b5c024224b09a1318e9cf4d (diff) | |
parent | 4dedc7ddcaffa8c606af11ae2d32707131b99a2e (diff) | |
download | rails-74fd17346f30fddba0e174ae17f5697f2c22279e.tar.gz rails-74fd17346f30fddba0e174ae17f5697f2c22279e.tar.bz2 rails-74fd17346f30fddba0e174ae17f5697f2c22279e.zip |
Merge branch 'master' of git@github.com:rails/rails
Diffstat (limited to 'actionpack/lib/action_controller/request_forgery_protection.rb')
-rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 946a0ed152..02c9d59d07 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -105,12 +105,12 @@ module ActionController #:nodoc: # Sets the token value for the current session. Pass a <tt>:secret</tt> option # in +protect_from_forgery+ to add a custom salt to the hash. def form_authenticity_token - @form_authenticity_token ||= if request_forgery_protection_options[:secret] + @form_authenticity_token ||= if !session.respond_to?(:session_id) + raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." + elsif request_forgery_protection_options[:secret] authenticity_token_from_session_id elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) authenticity_token_from_cookie_session - elsif session.nil? - raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." else raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)." end |