diff options
| author | Genadi Samokovarov <gsamokovarov@gmail.com> | 2018-12-26 21:10:37 +0200 |
|---|---|---|
| committer | Genadi Samokovarov <gsamokovarov@gmail.com> | 2018-12-27 11:33:54 +0200 |
| commit | a58db74c4feda7b8e2a02882c030b252d6fa8611 (patch) | |
| tree | cdb5496cc0faaf4315ef4e5e40304b7fc6b0a7ab /actionview/test/template | |
| parent | b5ed468492387d42a44ca6af525d4a274cda756d (diff) | |
| download | rails-a58db74c4feda7b8e2a02882c030b252d6fa8611.tar.gz rails-a58db74c4feda7b8e2a02882c030b252d6fa8611.tar.bz2 rails-a58db74c4feda7b8e2a02882c030b252d6fa8611.zip | |
Don't expect defined protect_against_forgery? in {token,csrf_meta}_tag
The `#csrf_meta_tags` and `#token_tag` Action View helper methods are
expecting the class in which are included to explicitly define the
method `#protect_against_forgery?` or else they will fail with
`NoMethodError`.
This is a problem if you want to use Action View outside of Rails
applications. For example, in #34788 I used the `#button_to` helper
inside of the error pages templates that have a custom
`ActionView::Base` subclass, which did not defined
`#protect_against_forgery?` and trying to call the button failed.
I had to dig inside of Action View to find-out what's was going on. I
think we should either set a default method implementation in the
helpers or check for the method definition, but don't explicitly require
the presence of `#protect_against_forgery?` in every `ActionViews::Base`
subclass as the errors are hard to figure out.
Diffstat (limited to 'actionview/test/template')
| -rw-r--r-- | actionview/test/template/csrf_helper_test.rb | 46 | ||||
| -rw-r--r-- | actionview/test/template/url_helper_test.rb | 10 |
2 files changed, 56 insertions, 0 deletions
diff --git a/actionview/test/template/csrf_helper_test.rb b/actionview/test/template/csrf_helper_test.rb new file mode 100644 index 0000000000..dd9821eb6c --- /dev/null +++ b/actionview/test/template/csrf_helper_test.rb @@ -0,0 +1,46 @@ +# frozen_string_literal: true + +require "abstract_unit" + +class CsrfHelperTest < ActiveSupport::TestCase + cattr_accessor :request_forgery, default: false + + include ActionView::Helpers::CsrfHelper + include ActionView::Helpers::TagHelper + include Rails::Dom::Testing::Assertions::DomAssertions + + def test_csrf_meta_tags_without_request_forgery_protection + assert_dom_equal "", csrf_meta_tags + end + + def test_csrf_meta_tags_with_request_forgery_protection + self.request_forgery = true + + assert_dom_equal <<~DOM.chomp, csrf_meta_tags + <meta name="csrf-param" content="form_token" /> + <meta name="csrf-token" content="secret" /> + DOM + ensure + self.request_forgery = false + end + + def test_csrf_meta_tags_without_protect_against_forgery_method + self.class.undef_method(:protect_against_forgery?) + + assert_dom_equal "", csrf_meta_tags + ensure + self.class.define_method(:protect_against_forgery?) { request_forgery } + end + + def protect_against_forgery? + request_forgery + end + + def form_authenticity_token(*args) + "secret" + end + + def request_forgery_protection_token + "form_token" + end +end diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 1ab28e4749..632b32f09f 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -119,6 +119,16 @@ class UrlHelperTest < ActiveSupport::TestCase ) end + def test_button_to_without_protect_against_forgery_method + self.class.undef_method(:protect_against_forgery?) + assert_dom_equal( + %{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>}, + button_to("Hello", "http://www.example.com") + ) + ensure + self.class.define_method(:protect_against_forgery?) { request_forgery } + end + def test_button_to_with_straight_url assert_dom_equal %{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>}, button_to("Hello", "http://www.example.com") end |