diff options
| author | Genadi Samokovarov <gsamokovarov@gmail.com> | 2018-12-26 21:10:37 +0200 |
|---|---|---|
| committer | Genadi Samokovarov <gsamokovarov@gmail.com> | 2018-12-27 11:33:54 +0200 |
| commit | a58db74c4feda7b8e2a02882c030b252d6fa8611 (patch) | |
| tree | cdb5496cc0faaf4315ef4e5e40304b7fc6b0a7ab /actionview/lib/action_view | |
| parent | b5ed468492387d42a44ca6af525d4a274cda756d (diff) | |
| download | rails-a58db74c4feda7b8e2a02882c030b252d6fa8611.tar.gz rails-a58db74c4feda7b8e2a02882c030b252d6fa8611.tar.bz2 rails-a58db74c4feda7b8e2a02882c030b252d6fa8611.zip | |
Don't expect defined protect_against_forgery? in {token,csrf_meta}_tag
The `#csrf_meta_tags` and `#token_tag` Action View helper methods are
expecting the class in which are included to explicitly define the
method `#protect_against_forgery?` or else they will fail with
`NoMethodError`.
This is a problem if you want to use Action View outside of Rails
applications. For example, in #34788 I used the `#button_to` helper
inside of the error pages templates that have a custom
`ActionView::Base` subclass, which did not defined
`#protect_against_forgery?` and trying to call the button failed.
I had to dig inside of Action View to find-out what's was going on. I
think we should either set a default method implementation in the
helpers or check for the method definition, but don't explicitly require
the presence of `#protect_against_forgery?` in every `ActionViews::Base`
subclass as the errors are hard to figure out.
Diffstat (limited to 'actionview/lib/action_view')
| -rw-r--r-- | actionview/lib/action_view/helpers/csrf_helper.rb | 2 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/url_helper.rb | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb index 69c59844a6..c0422c6ff5 100644 --- a/actionview/lib/action_view/helpers/csrf_helper.rb +++ b/actionview/lib/action_view/helpers/csrf_helper.rb @@ -20,7 +20,7 @@ module ActionView # "X-CSRF-Token" HTTP header. If you are using rails-ujs this happens automatically. # def csrf_meta_tags - if protect_against_forgery? + if defined?(protect_against_forgery?) && protect_against_forgery? [ tag("meta", name: "csrf-param", content: request_forgery_protection_token), tag("meta", name: "csrf-token", content: form_authenticity_token) diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 948dd1551f..d63ada3890 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -618,7 +618,7 @@ module ActionView end def token_tag(token = nil, form_options: {}) - if token != false && protect_against_forgery? + if token != false && defined?(protect_against_forgery?) && protect_against_forgery? token ||= form_authenticity_token(form_options: form_options) tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token) else |