authenticity_token option for form_tag [#2988 state:resolved]

1 files changed, 18 insertions, 0 deletions

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 2c9aa6187b..405af2a650 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -12,6 +12,14 @@ module RequestForgeryProtectionActions
     render :inline => "<%= button_to('New', '/') {} %>"
   end
 
+  def external_form
+    render :inline => "<%= form_tag('http://farfar.away/form', :authenticity_token => 'external_token') {} %>"
+  end
+
+  def external_form_without_protection
+    render :inline => "<%= form_tag('http://farfar.away/form', :authenticity_token => false) {} %>"
+  end
+
   def unsafe
     render :text => 'pwn'
   end
@@ -65,6 +73,16 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
 
+  def test_should_render_external_form_with_external_token
+    get :external_form
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', 'external_token'
+  end
+
+  def test_should_render_external_form_without_token
+    get :external_form_without_protection
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+
   def test_should_allow_get
     get :index
     assert_response :success