Protect button_to behind protect_from_forgery (closes #9675) [lifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
author: David Heinemeier Hansson <david@loudthinking.com> 2007-09-25 16:50:35 +0000
committer: David Heinemeier Hansson <david@loudthinking.com> 2007-09-25 16:50:35 +0000
commit: 82c1fed89fe6dae8f44b6647dd94fc68f01eaa81 (patch)
tree: 481c9021fa02f203b2cbba797ff45100f19c6dd8 /actionpack/test/controller
parent: 106b236824bbdf1cc9675b9531bac0c30a1926b0 (diff)
download: rails-82c1fed89fe6dae8f44b6647dd94fc68f01eaa81.tar.gz
rails-82c1fed89fe6dae8f44b6647dd94fc68f01eaa81.tar.bz2
rails-82c1fed89fe6dae8f44b6647dd94fc68f01eaa81.zip
1 files changed, 38 insertions, 106 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 98ca44c8cb..a9b674405d 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -4,42 +4,21 @@ ActionController::Routing::Routes.draw do |map|
   map.connect ':controller/:action/:id'
 end
 
-class RequestForgeryProtectionController < ActionController::Base
-  protect_from_forgery :only => :index, :secret => 'abc'
-
-  def index
-    render :inline => "<%= form_tag('/') {} %>"
-  end
-  
-  def unsafe
-    render :text => 'pwn'
-  end
-  
-  def rescue_action(e) raise e end
-end
-
-class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
-  def setup
-    @controller = RequestForgeryProtectionController.new
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
-    class << @request.session
-      def session_id() '123' end
-    end
-    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
-    ActionController::Base.request_forgery_protection_token = :authenticity_token
-  end
-  
+module RequestForgeryProtectionTests
   def teardown
     ActionController::Base.request_forgery_protection_token = nil
   end
-
+  
   def test_should_render_form_with_token_tag
     get :index
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
+  
+  def test_should_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end
 
-  # Replace this with your real tests.
   def test_should_allow_get
     get :index
     assert_response :success
@@ -105,14 +84,15 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
   end
 end
 
-# no token is given, assume the cookie store is used
-class CsrfCookieMonsterController < ActionController::Base
-  protect_from_forgery :only => :index
-
+module RequestForgeryProtectionActions
   def index
     render :inline => "<%= form_tag('/') {} %>"
   end
   
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+  
   def unsafe
     render :text => 'pwn'
   end
@@ -120,6 +100,31 @@ class CsrfCookieMonsterController < ActionController::Base
   def rescue_action(e) raise e end
 end
 
+class RequestForgeryProtectionController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index, :secret => 'abc'
+end
+
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = RequestForgeryProtectionController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index
+end
+
 class FakeSessionDbMan
   def self.generate_digest(data)
     Digest::SHA1.hexdigest("secure")
@@ -127,6 +132,7 @@ class FakeSessionDbMan
 end
 
 class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
   def setup
     @controller = CsrfCookieMonsterController.new
     @request    = ActionController::TestRequest.new
@@ -139,79 +145,5 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
     @token = Digest::SHA1.hexdigest("secure")
     ActionController::Base.request_forgery_protection_token = :authenticity_token
   end
-  
-  def teardown
-    ActionController::Base.request_forgery_protection_token = nil
-  end
-
-  def test_should_render_form_with_token_tag
-    get :index
-    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
-  end
-
-  # Replace this with your real tests.
-  def test_should_allow_get
-    get :index
-    assert_response :success
-  end
-  
-  def test_should_allow_post_without_token_on_unsafe_action
-    post :unsafe
-    assert_response :success
-  end
-  
-  def test_should_not_allow_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
-  end
-  
-  def test_should_not_allow_put_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
-  end
-  
-  def test_should_not_allow_delete_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
-  end
-  
-  def test_should_not_allow_xhr_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
-  end
-  
-  def test_should_not_allow_xhr_put_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
-  end
-  
-  def test_should_not_allow_xhr_delete_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
-  end
-  
-  def test_should_allow_post_with_token
-    post :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_put_with_token
-    put :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_delete_with_token
-    delete :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_post_with_xml
-    post :index, :format => 'xml'
-    assert_response :success
-  end
-  
-  def test_should_allow_put_with_xml
-    put :index, :format => 'xml'
-    assert_response :success
-  end
-  
-  def test_should_allow_delete_with_xml
-    delete :index, :format => 'xml'
-    assert_response :success
-  end
 end
author	David Heinemeier Hansson <david@loudthinking.com>	2007-09-25 16:50:35 +0000
committer	David Heinemeier Hansson <david@loudthinking.com>	2007-09-25 16:50:35 +0000
commit	82c1fed89fe6dae8f44b6647dd94fc68f01eaa81 (patch)
tree	481c9021fa02f203b2cbba797ff45100f19c6dd8 /actionpack/test/controller
parent	106b236824bbdf1cc9675b9531bac0c30a1926b0 (diff)
download	rails-82c1fed89fe6dae8f44b6647dd94fc68f01eaa81.tar.gz rails-82c1fed89fe6dae8f44b6647dd94fc68f01eaa81.tar.bz2 rails-82c1fed89fe6dae8f44b6647dd94fc68f01eaa81.zip