diff options
| author | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
|---|---|---|
| committer | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
| commit | 5edc81dcc2e13bdce3da01745b0d1af654342aad (patch) | |
| tree | 3ce7ceea9b18b465576b633a4a8fd859c632706f /actionpack/lib | |
| parent | b095ce63f2dbc88c1cb6da018d02e3707b8b48b9 (diff) | |
| download | rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.gz rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.bz2 rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.zip | |
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/lib')
5 files changed, 20 insertions, 9 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index fd7e9e5244..9ac728e96a 100755 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -328,8 +328,11 @@ module ActionController #:nodoc: cattr_accessor :resource_action_separator # Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default - @@request_forgery_protection_token = nil cattr_accessor :request_forgery_protection_token + + # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode. + class_inheritable_accessor :allow_forgery_protection + self.allow_forgery_protection = true # Holds the request object that's primarily used to get environment variables through access like # <tt>request.env["REQUEST_URI"]</tt>. diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 803782113d..3a7eb789c4 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -8,6 +8,7 @@ module ActionController #:nodoc: class_inheritable_accessor :request_forgery_protection_options self.request_forgery_protection_options = {} helper_method :form_authenticity_token + helper_method :protect_against_forgery? end base.extend(ClassMethods) end @@ -48,6 +49,9 @@ module ActionController #:nodoc: # # # uses one of the other session stores that uses a session_id value. # protect_from_forgery :secret => 'my-little-pony', :except => :index + # + # # you can disable csrf protection on controller-by-controller basis: + # skip_before_filter :verify_authenticity_token # end # # Valid Options: @@ -75,9 +79,9 @@ module ActionController #:nodoc: # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given _token value from the params? def verified_request? - request_forgery_protection_token.nil? || - request.method == :get || - !verifiable_request_format? || + !protect_against_forgery? || + request.method == :get || + !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end @@ -110,5 +114,9 @@ module ActionController #:nodoc: session[:csrf_id] ||= CGI::Session.generate_unique_id session.dbman.generate_digest(session[:csrf_id]) end + + def protect_against_forgery? + allow_forgery_protection && request_forgery_protection_token + end end end
\ No newline at end of file diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index db74df26bf..fdc0d10c6c 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -401,7 +401,7 @@ module ActionView '' when /^post$/i, "", nil html_options["method"] = "post" - request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : '' + protect_against_forgery? ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : '' else html_options["method"] = "post" content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0') @@ -421,7 +421,7 @@ module ActionView end def token_tag - if request_forgery_protection_token.nil? + unless protect_against_forgery? '' else tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb index def33b9ee1..7dcc92a674 100644 --- a/actionpack/lib/action_view/helpers/prototype_helper.rb +++ b/actionpack/lib/action_view/helpers/prototype_helper.rb @@ -739,7 +739,7 @@ module ActionView js_options['parameters'] = options[:with] end - if request_forgery_protection_token + if protect_against_forgery? if js_options['parameters'] js_options['parameters'] << " + '&" else diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 490b2c1215..70d3ddd403 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -203,7 +203,7 @@ module ActionView form_method = method.to_s == 'get' ? 'get' : 'post' request_token_tag = '' - if form_method == 'post' && request_forgery_protection_token + if form_method == 'post' && protect_against_forgery? request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) end @@ -477,7 +477,7 @@ module ActionView submit_function << "m.setAttribute('name', '_method'); m.setAttribute('value', '#{method}'); f.appendChild(m);" end - if request_forgery_protection_token + if protect_against_forgery? submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); " submit_function << "s.setAttribute('name', '#{request_forgery_protection_token}'); s.setAttribute('value', '#{escape_javascript form_authenticity_token}'); f.appendChild(s);" end |