Added config.action_view.embed_authenticity_token_in_remote_forms

There is a regression introduced in 16ee611fa, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)

1 files changed, 48 insertions, 6 deletions

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index b8b14f3a24..77c1fc4ed7 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -45,6 +45,14 @@ module RequestForgeryProtectionActions
     render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => true ) {} %>"
   end
 
+  def form_for_with_token
+    render :inline => "<%= form_for(:some_resource, :authenticity_token => true ) {} %>"
+  end
+
+  def form_for_remote_with_external_token
+    render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => 'external_token') {} %>"
+  end
+
   def rescue_action(e) raise e end
 end
 
@@ -111,11 +119,42 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
   end
 
-  def test_should_render_form_without_token_tag_if_remote
+  def test_should_render_form_with_token_tag_if_remote
     assert_not_blocked do
       get :form_for_remote
     end
-    assert_no_match(/authenticity_token/, response.body)
+    assert_match(/authenticity_token/, response.body)
+  end
+
+  def test_should_render_form_without_token_tag_if_remote_and_embedding_token_is_off
+    begin
+      ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+      assert_not_blocked do
+        get :form_for_remote
+      end
+      assert_no_match(/authenticity_token/, response.body)
+    ensure
+      ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
+    end
+  end
+
+  def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_off_but_true_option_passed
+     begin
+      ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+      assert_not_blocked do
+        get :form_for_remote_with_token
+      end
+      assert_match(/authenticity_token/, response.body)
+    ensure
+      ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
+    end
+  end
+
+  def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested
+    assert_not_blocked do
+      get :form_for_remote_with_external_token
+    end
+    assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token'
   end
 
   def test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested
@@ -125,6 +164,13 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
   end
 
+  def test_should_render_form_with_token_tag_with_authenticity_token_requested
+    assert_not_blocked do
+      get :form_for_with_token
+    end
+    assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
+  end
+
   def test_should_allow_get
     assert_not_blocked { get :index }
   end
@@ -270,10 +316,6 @@ class FreeCookieControllerTest < ActionController::TestCase
   end
 end
 
-
-
-
-
 class CustomAuthenticityParamControllerTest < ActionController::TestCase
   def setup
     ActionController::Base.request_forgery_protection_token = :custom_token_name