diff options
author | Peter Jones <pjones@pmade.com> | 2008-05-07 16:04:18 -0600 |
---|---|---|
committer | David Heinemeier Hansson <david@loudthinking.com> | 2008-05-11 13:27:34 -0500 |
commit | 2a986200b9a6be0f68a0db504dc478da04842dee (patch) | |
tree | 66421a3dd7322c44184a273834ed95795f0a5a0f /actionpack/test | |
parent | 7013d9e52a41a6261738b8d11bcada85bc6fe81b (diff) | |
download | rails-2a986200b9a6be0f68a0db504dc478da04842dee.tar.gz rails-2a986200b9a6be0f68a0db504dc478da04842dee.tar.bz2 rails-2a986200b9a6be0f68a0db504dc478da04842dee.zip |
Bug: Earlier Check for Session in Forgery Protection
The session is used by the form_authenticity_token method before it is
tested to be valid. This patch moves a few lines around so that the
session is validated first.
Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:
undefined method `session_id' for {}:Hash
The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.
Diffstat (limited to 'actionpack/test')
-rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index d0c3c6e224..7022713e30 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -50,6 +50,14 @@ class CsrfCookieMonsterController < ActionController::Base protect_from_forgery :only => :index end +# sessions are turned off +class SessionOffController < ActionController::Base + protect_from_forgery :secret => 'foobar' + session :off + def rescue_action(e) raise e end + include RequestForgeryProtectionActions +end + class FreeCookieController < CsrfCookieMonsterController self.allow_forgery_protection = false @@ -224,3 +232,19 @@ class FreeCookieControllerTest < Test::Unit::TestCase end end end + +class SessionOffControllerTest < Test::Unit::TestCase + def setup + @controller = SessionOffController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + end + + def test_should_raise_correct_exception + @request.session = {} # session(:off) doesn't appear to work with controller tests + assert_raises(ActionController::InvalidAuthenticityToken) do + post :index, :authenticity_token => @token + end + end +end |