aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
authorJeremy Kemper <jeremy@bitsweat.net>2010-04-04 10:16:27 -0700
committerJeremy Kemper <jeremy@bitsweat.net>2010-04-04 11:10:00 -0700
commite3959970e1f669c6ecf79d645b5e4f9d7ed2a4ec (patch)
treee9d926ad900776df172b672bb27cf0cbc5bdecdc /actionpack
parentef84e691ffe7b43ce64e859f43b17128a405785a (diff)
downloadrails-e3959970e1f669c6ecf79d645b5e4f9d7ed2a4ec.tar.gz
rails-e3959970e1f669c6ecf79d645b5e4f9d7ed2a4ec.tar.bz2
rails-e3959970e1f669c6ecf79d645b5e4f9d7ed2a4ec.zip
Fix signed cookies by explicitly passing config to the cookie jar
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/lib/action_controller/metal/cookies.rb5
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb42
2 files changed, 22 insertions, 25 deletions
diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb
index 75e5d40a63..4aaa705203 100644
--- a/actionpack/lib/action_controller/metal/cookies.rb
+++ b/actionpack/lib/action_controller/metal/cookies.rb
@@ -7,10 +7,11 @@ module ActionController #:nodoc:
included do
helper_method :cookies
end
-
+
private
def cookies
- request.cookie_jar
+ raise "You must set config.cookie_secret in your app's config" if config.secret.blank?
+ request.cookie_jar(:signing_secret => config.secret)
end
end
end
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index cb0d12cab1..71dcac9e94 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -1,7 +1,7 @@
module ActionDispatch
class Request
- def cookie_jar
- env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self)
+ def cookie_jar(config = {})
+ env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config)
end
end
@@ -51,17 +51,18 @@ module ActionDispatch
# only HTTP. Defaults to +false+.
class Cookies
class CookieJar < Hash #:nodoc:
- def self.build(request)
- new.tap do |hash|
+ def self.build(request, config = {})
+ new(config).tap do |hash|
hash.update(request.cookies)
end
end
- def initialize
+ def initialize(config = {})
+ @config = config
@set_cookies = {}
@delete_cookies = {}
- super
+ super()
end
# Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
@@ -111,7 +112,7 @@ module ActionDispatch
# cookies.permanent.signed[:remember_me] = current_user.id
# # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
def permanent
- @permanent ||= PermanentCookieJar.new(self)
+ @permanent ||= PermanentCookieJar.new(self, @config)
end
# Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from
@@ -119,7 +120,7 @@ module ActionDispatch
# cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
# be raised.
#
- # This jar requires that you set a suitable secret for the verification on ActionController::Base.cookie_verifier_secret.
+ # This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret.
#
# Example:
#
@@ -128,7 +129,7 @@ module ActionDispatch
#
# cookies.signed[:discount] # => 45
def signed
- @signed ||= SignedCookieJar.new(self)
+ @signed ||= SignedCookieJar.new(self, @config)
end
def write(response)
@@ -138,8 +139,9 @@ module ActionDispatch
end
class PermanentCookieJar < CookieJar #:nodoc:
- def initialize(parent_jar)
+ def initialize(parent_jar, config = {})
@parent_jar = parent_jar
+ @config = config
end
def []=(key, options)
@@ -154,11 +156,7 @@ module ActionDispatch
end
def signed
- @signed ||= SignedCookieJar.new(self)
- end
-
- def controller
- @parent_jar.controller
+ @signed ||= SignedCookieJar.new(self, @config)
end
def method_missing(method, *arguments, &block)
@@ -167,18 +165,16 @@ module ActionDispatch
end
class SignedCookieJar < CookieJar #:nodoc:
- def initialize(parent_jar)
- unless ActionController::Base.config.secret
- raise "You must set ActionController::Base.config.secret"
- end
-
+ def initialize(parent_jar, config = {})
+ raise 'Missing cookie signing secret' if config[:signing_secret].blank?
@parent_jar = parent_jar
- @verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.config.secret)
+ @config = config
+ @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret])
end
def [](name)
- if value = @parent_jar[name]
- @verifier.verify(value)
+ if signed_message = @parent_jar[name]
+ @verifier.verify(signed_message)
end
end