diff options
author | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
---|---|---|
committer | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
commit | 5edc81dcc2e13bdce3da01745b0d1af654342aad (patch) | |
tree | 3ce7ceea9b18b465576b633a4a8fd859c632706f /actionpack/test/controller/request_forgery_protection_test.rb | |
parent | b095ce63f2dbc88c1cb6da018d02e3707b8b48b9 (diff) | |
download | rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.gz rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.bz2 rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.zip |
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/controller/request_forgery_protection_test.rb')
-rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index a9b674405d..0711ecf90c 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -125,6 +125,18 @@ class CsrfCookieMonsterController < ActionController::Base protect_from_forgery :only => :index end +class FreeCookieController < CsrfCookieMonsterController + self.allow_forgery_protection = false + + def index + render :inline => "<%= form_tag('/') {} %>" + end + + def show_button + render :inline => "<%= button_to('New', '/') {} %>" + end +end + class FakeSessionDbMan def self.generate_digest(data) Digest::SHA1.hexdigest("secure") @@ -147,3 +159,29 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase end end +class FreeCookieControllerTest < Test::Unit::TestCase + + def setup + @controller = FreeCookieController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + end + + def test_should_not_render_form_with_token_tag + get :index + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false + end + + def test_should_not_render_button_to_with_token_tag + get :show_button + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false + end + + def test_should_allow_all_methods_without_token + [:post, :put, :delete].each do |method| + assert_nothing_raised { send(method, :index)} + end + end + +end |