diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2008-01-11 16:25:23 +0000 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2008-01-11 16:25:23 +0000 |
| commit | 5d1a305f066daf5a60b2b1158d5d2aeae6fe32cb (patch) | |
| tree | a6dd78c9386d5c0615e161643808f4a2536bfc65 /actionpack | |
| parent | 104f31af1dc412160b624da1b09c5456fa862f53 (diff) | |
| download | rails-5d1a305f066daf5a60b2b1158d5d2aeae6fe32cb.tar.gz rails-5d1a305f066daf5a60b2b1158d5d2aeae6fe32cb.tar.bz2 rails-5d1a305f066daf5a60b2b1158d5d2aeae6fe32cb.zip | |
Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used (closes #10739) [jeremyevans]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/active_record_helper.rb | 13 | ||||
| -rw-r--r-- | actionpack/test/template/active_record_helper_test.rb | 22 |
3 files changed, 34 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 0d31206107..3fb835161a 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used #10739 [jeremyevans] + * Provide nicer access to HTTP Headers. Instead of request.env["HTTP_REFERRER"] you can now use request.headers["Referrer"]. [Koz] * UrlWriter respects relative_url_root. #10748 [Cheah Chu Yeow] diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb index 9736b7e438..170ad84e43 100644 --- a/actionpack/lib/action_view/helpers/active_record_helper.rb +++ b/actionpack/lib/action_view/helpers/active_record_helper.rb @@ -56,6 +56,14 @@ module ActionView # form << content_tag("b", "Department") # form << collection_select("department", "id", @departments, "id", "name") # end + # + # The following options are available: + # + # * <tt>action</tt> - the action used when submitting the form (default: create if a new record, otherwise update) + # * <tt>input_block</tt> - specialize the output using a different block, see above + # * <tt>method</tt> - the method used when submitting the form (default: post) + # * <tt>multipart</tt> - whether to change the enctype of the form to multipart/form-date, used when uploading a file (default: false) + # * <tt>submit_value</tt> - the text of the submit button (default: Create if a new record, otherwise Update) def form(record_name, options = {}) record = instance_variable_get("@#{record_name}") @@ -65,13 +73,12 @@ module ActionView submit_value = options[:submit_value] || options[:action].gsub(/[^\w]/, '').capitalize - contents = '' + contents = form_tag({:action => action}, :method =>(options[:method] || 'post'), :enctype => options[:multipart] ? 'multipart/form-data': nil) contents << hidden_field(record_name, :id) unless record.new_record? contents << all_input_tags(record, record_name, options) yield contents if block_given? contents << submit_tag(submit_value) - - content_tag('form', contents, :action => action, :method => 'post', :enctype => options[:multipart] ? 'multipart/form-data': nil) + contents << '</form>' end # Returns a string containing the error message attached to the +method+ on the +object+ if one exists. diff --git a/actionpack/test/template/active_record_helper_test.rb b/actionpack/test/template/active_record_helper_test.rb index 499f5e7fc1..31fe7bbc29 100644 --- a/actionpack/test/template/active_record_helper_test.rb +++ b/actionpack/test/template/active_record_helper_test.rb @@ -86,6 +86,11 @@ class ActiveRecordHelperTest < Test::Unit::TestCase @user.email = "" end + + def protect_against_forgery? + @protect_against_forgery ? true : false + end + attr_accessor :request_forgery_protection_token, :form_authenticity_token def setup setup_post @@ -140,6 +145,23 @@ class ActiveRecordHelperTest < Test::Unit::TestCase form("post") ) end + + def test_form_with_protect_against_forgery + @protect_against_forgery = true + @request_forgery_protection_token = 'authenticity_token' + @form_authenticity_token = '123' + assert_dom_equal( + %(<form action="create" method="post"><div style='margin:0;padding:0'><input type='hidden' name='authenticity_token' value='123' /></div><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>), + form("post") + ) + end + + def test_form_with_method_option + assert_dom_equal( + %(<form action="create" method="get"><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>), + form("post", :method=>'get') + ) + end def test_form_with_action_option @response.body = form("post", :action => "sign") |