diff options
| author | Rick Olson <technoweenie@gmail.com> | 2006-08-01 03:02:31 +0000 |
|---|---|---|
| committer | Rick Olson <technoweenie@gmail.com> | 2006-08-01 03:02:31 +0000 |
| commit | 58b996f9b03668573fef2696d583ff04191a5fa7 (patch) | |
| tree | 2ccc8009579855748748e27d84d37d28da3128bc /actionpack/test/controller | |
| parent | c9417dcef379ec3e87fed63d32636697c2d19939 (diff) | |
| download | rails-58b996f9b03668573fef2696d583ff04191a5fa7.tar.gz rails-58b996f9b03668573fef2696d583ff04191a5fa7.tar.bz2 rails-58b996f9b03668573fef2696d583ff04191a5fa7.zip | |
Restrict Request Method hacking with ?_method to POST requests. [Rick Olson]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4644 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_test.rb | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/actionpack/test/controller/request_test.rb b/actionpack/test/controller/request_test.rb index 43cd8836fe..9f79e7d6df 100644 --- a/actionpack/test/controller/request_test.rb +++ b/actionpack/test/controller/request_test.rb @@ -262,5 +262,33 @@ class RequestTest < Test::Unit::TestCase @request.env['HTTP_X_FORWARDED_PROTO'] = 'https' assert @request.ssl? end - + + def test_symbolized_request_methods + [:head, :get, :post, :put, :delete].each do |method| + set_request_method_to method + assert_equal method, @request.method + end + end + + def test_allow_method_hacking_on_post + set_request_method_to :post + [:head, :get, :put, :delete].each do |method| + @request.instance_eval { @parameters = { :_method => method } ; @request_method = nil } + assert_equal method, @request.method + end + end + + def test_restrict_method_hacking + @request.instance_eval { @parameters = { :_method => 'put' } } + [:head, :get, :put, :delete].each do |method| + set_request_method_to method + assert_equal method, @request.method + end + end + + protected + def set_request_method_to(method) + @request.env['REQUEST_METHOD'] = method.to_s.upcase + @request.instance_eval { @request_method = nil } + end end |