diff options
author | Rick Olson <technoweenie@gmail.com> | 2007-09-28 16:50:48 +0000 |
---|---|---|
committer | Rick Olson <technoweenie@gmail.com> | 2007-09-28 16:50:48 +0000 |
commit | 82ff27766d3edc3fb1d0d043841e9c3cd277744f (patch) | |
tree | 7854659c7ec3f0ae5b87a8d1068f92a8fb40775c /actionpack/lib/action_controller/request_forgery_protection.rb | |
parent | c1bdf027d8d54127e41427e21fabe7ff3e26c6bc (diff) | |
download | rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.tar.gz rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.tar.bz2 rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.zip |
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/lib/action_controller/request_forgery_protection.rb')
-rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 3a7eb789c4..035bad7498 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -93,8 +93,12 @@ module ActionController #:nodoc: def form_authenticity_token @form_authenticity_token ||= if request_forgery_protection_options[:secret] authenticity_token_from_session_id - else + elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) authenticity_token_from_cookie_session + elsif session.nil? + raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." + else + raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)." end end |