Add prepend option to protect_from_forgery.

author: Josef Šimánek <josef.simanek@gmail.com> 2015-01-05 01:38:54 +0100
committer: Josef Šimánek <josef.simanek@gmail.com> 2015-01-08 19:47:19 +0100
commit: 0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1 (patch)
tree: 83aa0e3a0392a391a5a8177edba9fd687d52f4af /actionpack/test/controller
parent: 46c853f31e8c5c111904acabad16565508aba71e (diff)
download: rails-0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1.tar.gz
rails-0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1.tar.bz2
rails-0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1.zip
1 files changed, 60 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 3e0bfe8d14..ea2d35c3f8 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -103,6 +103,31 @@ class RequestForgeryProtectionControllerUsingNullSession < ActionController::Bas
   end
 end
 
+class PrependProtectForgeryBaseController < ActionController::Base
+  before_action :custom_action
+  attr_accessor :called_callbacks
+
+  def index
+    render inline: 'OK'
+  end
+
+  protected
+
+  def add_called_callback(name)
+    @called_callbacks ||= []
+    @called_callbacks << name
+  end
+
+
+  def custom_action
+    add_called_callback("custom_action")
+  end
+
+  def verify_authenticity_token
+    add_called_callback("verify_authenticity_token")
+  end
+end
+
 class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession
   self.allow_forgery_protection = false
 
@@ -431,6 +456,41 @@ class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::T
   end
 end
 
+class PrependProtectForgeryBaseControllerTest < ActionController::TestCase
+  PrependTrueController = Class.new(PrependProtectForgeryBaseController) do
+    protect_from_forgery prepend: true
+  end
+
+  PrependFalseController = Class.new(PrependProtectForgeryBaseController) do
+    protect_from_forgery prepend: false
+  end
+
+  PrependDefaultController = Class.new(PrependProtectForgeryBaseController) do
+    protect_from_forgery
+  end
+
+  def test_verify_authenticity_token_is_prepended
+    @controller = PrependTrueController.new
+    get :index
+    expected_callback_order = ["verify_authenticity_token", "custom_action"]
+    assert_equal(expected_callback_order, @controller.called_callbacks)
+  end
+
+  def test_verify_authenticity_token_is_not_prepended
+    @controller = PrependFalseController.new
+    get :index
+    expected_callback_order = ["custom_action", "verify_authenticity_token"]
+    assert_equal(expected_callback_order, @controller.called_callbacks)
+  end
+
+  def test_verify_authenticity_token_is_prepended_by_default
+    @controller = PrependDefaultController.new
+    get :index
+    expected_callback_order = ["verify_authenticity_token", "custom_action"]
+    assert_equal(expected_callback_order, @controller.called_callbacks)
+  end
+end
+
 class FreeCookieControllerTest < ActionController::TestCase
   def setup
     @controller = FreeCookieController.new
author	Josef Šimánek <josef.simanek@gmail.com>	2015-01-05 01:38:54 +0100
committer	Josef Šimánek <josef.simanek@gmail.com>	2015-01-08 19:47:19 +0100
commit	0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1 (patch)
tree	83aa0e3a0392a391a5a8177edba9fd687d52f4af /actionpack/test/controller
parent	46c853f31e8c5c111904acabad16565508aba71e (diff)
download	rails-0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1.tar.gz rails-0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1.tar.bz2 rails-0074bbb07bb9c0a2e6a134a4230bf3afac8a71b1.zip