diff options
| author | Vijay Dev <vijaydev.cse@gmail.com> | 2012-06-14 22:52:38 +0530 |
|---|---|---|
| committer | Vijay Dev <vijaydev.cse@gmail.com> | 2012-06-14 22:52:38 +0530 |
| commit | c1474ff2e78da7a3443c3eee470a1e9aa5b560dd (patch) | |
| tree | d02393ca969e8ab612ab7e764f5504c34bd6da89 /actionpack/lib/action_controller | |
| parent | f5e7cb84cd377feb1b60c5356ce02123e9c94380 (diff) | |
| parent | 5795efa9d8c330853c9ce4507abc3d5b8baa65e1 (diff) | |
| download | rails-c1474ff2e78da7a3443c3eee470a1e9aa5b560dd.tar.gz rails-c1474ff2e78da7a3443c3eee470a1e9aa5b560dd.tar.bz2 rails-c1474ff2e78da7a3443c3eee470a1e9aa5b560dd.zip | |
Merge branch 'master' of github.com:lifo/docrails
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/metal/http_authentication.rb | 20 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 14 |
2 files changed, 26 insertions, 8 deletions
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 57bb0e2a32..a0d1064094 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -401,16 +401,20 @@ module ActionController end end - # If token Authorization header is present, call the login procedure with - # the present token and options. + # If token Authorization header is present, call the login + # procedure with the present token and options. # - # controller - ActionController::Base instance for the current request. - # login_procedure - Proc to call if a token is present. The Proc should - # take 2 arguments: - # authenticate(controller) { |token, options| ... } + # [controller] + # ActionController::Base instance for the current request. # - # Returns the return value of `&login_procedure` if a token is found. - # Returns nil if no token is found. + # [login_procedure] + # Proc to call if a token is present. The Proc should take two arguments: + # + # authenticate(controller) { |token, options| ... } + # + # Returns the return value of <tt>login_procedure</tt> if a + # token is found. Returns <tt>nil</tt> if no token is found. + def authenticate(controller, &login_procedure) token, options = token_and_options(controller.request) unless token.blank? diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 95b0e99ed5..53534c0307 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -14,6 +14,20 @@ module ActionController #:nodoc: # authentication scheme there anyway). Also, GET requests are not protected as these # should be idempotent. # + # It's important to remember that XML or JSON requests are also affected and if + # you're building an API you'll need something like: + # + # class ApplicationController < ActionController::Base + # protect_from_forgery + # skip_before_filter :verify_authenticity_token, :if => :json_request? + # + # protected + # + # def json_request? + # request.format.json? + # end + # end + # # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method, # which checks the token and resets the session if it doesn't match what was expected. # A call to this method is generated for new \Rails applications by default. |