diff options
| author | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
|---|---|---|
| committer | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
| commit | 5edc81dcc2e13bdce3da01745b0d1af654342aad (patch) | |
| tree | 3ce7ceea9b18b465576b633a4a8fd859c632706f /actionpack/lib/action_controller | |
| parent | b095ce63f2dbc88c1cb6da018d02e3707b8b48b9 (diff) | |
| download | rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.gz rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.bz2 rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.zip | |
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/lib/action_controller')
| -rwxr-xr-x | actionpack/lib/action_controller/base.rb | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 14 |
2 files changed, 15 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index fd7e9e5244..9ac728e96a 100755 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -328,8 +328,11 @@ module ActionController #:nodoc: cattr_accessor :resource_action_separator # Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default - @@request_forgery_protection_token = nil cattr_accessor :request_forgery_protection_token + + # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode. + class_inheritable_accessor :allow_forgery_protection + self.allow_forgery_protection = true # Holds the request object that's primarily used to get environment variables through access like # <tt>request.env["REQUEST_URI"]</tt>. diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 803782113d..3a7eb789c4 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -8,6 +8,7 @@ module ActionController #:nodoc: class_inheritable_accessor :request_forgery_protection_options self.request_forgery_protection_options = {} helper_method :form_authenticity_token + helper_method :protect_against_forgery? end base.extend(ClassMethods) end @@ -48,6 +49,9 @@ module ActionController #:nodoc: # # # uses one of the other session stores that uses a session_id value. # protect_from_forgery :secret => 'my-little-pony', :except => :index + # + # # you can disable csrf protection on controller-by-controller basis: + # skip_before_filter :verify_authenticity_token # end # # Valid Options: @@ -75,9 +79,9 @@ module ActionController #:nodoc: # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given _token value from the params? def verified_request? - request_forgery_protection_token.nil? || - request.method == :get || - !verifiable_request_format? || + !protect_against_forgery? || + request.method == :get || + !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end @@ -110,5 +114,9 @@ module ActionController #:nodoc: session[:csrf_id] ||= CGI::Session.generate_unique_id session.dbman.generate_digest(session[:csrf_id]) end + + def protect_against_forgery? + allow_forgery_protection && request_forgery_protection_token + end end end
\ No newline at end of file |