diff options
| author | Piotr Sarnacki <drogus@gmail.com> | 2012-03-28 04:03:50 +0200 |
|---|---|---|
| committer | Piotr Sarnacki <drogus@gmail.com> | 2012-03-28 18:03:15 +0200 |
| commit | 805b15ff35122f5fd0bb9c1742578b14eebfac32 (patch) | |
| tree | 7c01ed925098e52f5903f5f45c0a5d46cf62d1e1 /actionpack/test | |
| parent | 6cff09038d5d78e6a4a12d0a27c6b1b87f0a5147 (diff) | |
| download | rails-805b15ff35122f5fd0bb9c1742578b14eebfac32.tar.gz rails-805b15ff35122f5fd0bb9c1742578b14eebfac32.tar.bz2 rails-805b15ff35122f5fd0bb9c1742578b14eebfac32.zip | |
Added config.action_view.embed_authenticity_token_in_remote_forms
There is a regression introduced in 16ee611fa, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)
Conflicts:
actionpack/CHANGELOG.md
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 7b722bd3d7..7ded9ddc81 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -44,6 +44,14 @@ module RequestForgeryProtectionActions render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => true ) {} %>" end + def form_for_with_token + render :inline => "<%= form_for(:some_resource, :authenticity_token => true ) {} %>" + end + + def form_for_remote_with_external_token + render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => 'external_token') {} %>" + end + def rescue_action(e) raise e end end @@ -108,11 +116,42 @@ module RequestForgeryProtectionTests assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token end - def test_should_render_form_without_token_tag_if_remote + def test_should_render_form_with_token_tag_if_remote assert_not_blocked do get :form_for_remote end - assert_no_match(/authenticity_token/, response.body) + assert_match(/authenticity_token/, response.body) + end + + def test_should_render_form_without_token_tag_if_remote_and_embedding_token_is_off + begin + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false + assert_not_blocked do + get :form_for_remote + end + assert_no_match(/authenticity_token/, response.body) + ensure + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true + end + end + + def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_off_but_true_option_passed + begin + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false + assert_not_blocked do + get :form_for_remote_with_token + end + assert_match(/authenticity_token/, response.body) + ensure + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true + end + end + + def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested + assert_not_blocked do + get :form_for_remote_with_external_token + end + assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token' end def test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested @@ -122,6 +161,13 @@ module RequestForgeryProtectionTests assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token end + def test_should_render_form_with_token_tag_with_authenticity_token_requested + assert_not_blocked do + get :form_for_with_token + end + assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token + end + def test_should_allow_get assert_not_blocked { get :index } end |