diff options
| author | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
|---|---|---|
| committer | Rick Olson <technoweenie@gmail.com> | 2007-09-28 15:55:45 +0000 |
| commit | 5edc81dcc2e13bdce3da01745b0d1af654342aad (patch) | |
| tree | 3ce7ceea9b18b465576b633a4a8fd859c632706f /actionpack/test | |
| parent | b095ce63f2dbc88c1cb6da018d02e3707b8b48b9 (diff) | |
| download | rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.gz rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.tar.bz2 rails-5edc81dcc2e13bdce3da01745b0d1af654342aad.zip | |
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test')
6 files changed, 53 insertions, 12 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index a9b674405d..0711ecf90c 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -125,6 +125,18 @@ class CsrfCookieMonsterController < ActionController::Base protect_from_forgery :only => :index end +class FreeCookieController < CsrfCookieMonsterController + self.allow_forgery_protection = false + + def index + render :inline => "<%= form_tag('/') {} %>" + end + + def show_button + render :inline => "<%= button_to('New', '/') {} %>" + end +end + class FakeSessionDbMan def self.generate_digest(data) Digest::SHA1.hexdigest("secure") @@ -147,3 +159,29 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase end end +class FreeCookieControllerTest < Test::Unit::TestCase + + def setup + @controller = FreeCookieController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + end + + def test_should_not_render_form_with_token_tag + get :index + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false + end + + def test_should_not_render_button_to_with_token_tag + get :show_button + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false + end + + def test_should_allow_all_methods_without_token + [:post, :put, :delete].each do |method| + assert_nothing_raised { send(method, :index)} + end + end + +end diff --git a/actionpack/test/template/form_helper_test.rb b/actionpack/test/template/form_helper_test.rb index 9b22d4cef3..1c842fc307 100644 --- a/actionpack/test/template/form_helper_test.rb +++ b/actionpack/test/template/form_helper_test.rb @@ -711,8 +711,8 @@ class FormHelperTest < Test::Unit::TestCase def post_path(post) "/posts/#{post.id}" end - - def request_forgery_protection_token - nil + + def protect_against_forgery? + false end end diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb index f2c6678ddd..ebf8f7058f 100644 --- a/actionpack/test/template/form_tag_helper_test.rb +++ b/actionpack/test/template/form_tag_helper_test.rb @@ -177,9 +177,8 @@ class FormTagHelperTest < Test::Unit::TestCase expected = %(<fieldset>Hello world!</fieldset>) assert_dom_equal expected, _erbout end - - def request_forgery_protection_token - nil - + + def protect_against_forgery? + false end end diff --git a/actionpack/test/template/prototype_helper_test.rb b/actionpack/test/template/prototype_helper_test.rb index 48f947910f..3df1502f12 100644 --- a/actionpack/test/template/prototype_helper_test.rb +++ b/actionpack/test/template/prototype_helper_test.rb @@ -65,6 +65,10 @@ protected nil end + def protect_against_forgery? + false + end + def create_generator block = Proc.new { |*args| yield *args if block_given? } JavaScriptGenerator.new self, &block diff --git a/actionpack/test/template/scriptaculous_helper_test.rb b/actionpack/test/template/scriptaculous_helper_test.rb index 722839f15e..04fbe33d5d 100644 --- a/actionpack/test/template/scriptaculous_helper_test.rb +++ b/actionpack/test/template/scriptaculous_helper_test.rb @@ -89,8 +89,8 @@ class ScriptaculousHelperTest < Test::Unit::TestCase assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nDroppables.add(\"droptarget1\", {accept:['tshirts','mugs'], onDrop:function(element){new Ajax.Updater('infobox', 'http://www.example.com/', {asynchronous:true, evalScripts:true, parameters:'id=' + encodeURIComponent(element.id)})}})\n//]]>\n</script>), drop_receiving_element("droptarget1", :accept => ['tshirts','mugs'], :update => 'infobox') end - - def request_forgery_protection_token - nil + + def protect_against_forgery? + false end end diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index 5707beeab1..dc0186f9df 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -268,8 +268,8 @@ class UrlHelperTest < Test::Unit::TestCase assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)") end - def request_forgery_protection_token - nil + def protect_against_forgery? + false end end |