diff options
| author | Ben Toews <mastahyeti@users.noreply.github.com> | 2016-01-04 12:23:55 -0700 |
|---|---|---|
| committer | Ben Toews <mastahyeti@users.noreply.github.com> | 2016-01-04 12:26:38 -0700 |
| commit | 3e98819e20bc113343d4d4c0df614865ad5a9d3a (patch) | |
| tree | fa003a9cbbec97f7d1cdb9a87a2c065473ad2e4d /actionview | |
| parent | e165f7fa6044926796c9d9a8bb9a81bc78431d4f (diff) | |
| download | rails-3e98819e20bc113343d4d4c0df614865ad5a9d3a.tar.gz rails-3e98819e20bc113343d4d4c0df614865ad5a9d3a.tar.bz2 rails-3e98819e20bc113343d4d4c0df614865ad5a9d3a.zip | |
add option for per-form CSRF tokens
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/lib/action_view/helpers/form_tag_helper.rb | 10 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/url_helper.rb | 10 | ||||
| -rw-r--r-- | actionview/test/template/url_helper_test.rb | 2 |
3 files changed, 16 insertions, 6 deletions
diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb index 79a1a242bf..d521553481 100644 --- a/actionview/lib/action_view/helpers/form_tag_helper.rb +++ b/actionview/lib/action_view/helpers/form_tag_helper.rb @@ -870,10 +870,16 @@ module ActionView '' when /^post$/i, "", nil html_options["method"] = "post" - token_tag(authenticity_token) + token_tag(authenticity_token, form_options: { + action: html_options["action"], + method: "post" + }) else html_options["method"] = "post" - method_tag(method) + token_tag(authenticity_token) + method_tag(method) + token_tag(authenticity_token, form_options: { + action: html_options["action"], + method: method + }) end if html_options.delete("enforce_utf8") { true } diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index baebc34b4b..3a4561a083 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -311,7 +311,11 @@ module ActionView form_options[:action] = url form_options[:'data-remote'] = true if remote - request_token_tag = form_method == 'post' ? token_tag : '' + request_token_tag = if form_method == 'post' + token_tag(nil, form_options: form_options) + else + '' + end html_options = convert_options_to_data_attributes(options, html_options) html_options['type'] = 'submit' @@ -579,9 +583,9 @@ module ActionView html_options["data-method"] = method end - def token_tag(token=nil) + def token_tag(token=nil, form_options: {}) if token != false && protect_against_forgery? - token ||= form_authenticity_token + token ||= form_authenticity_token(form_options: form_options) tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token) else '' diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 784a48ed8d..89cabb8f6b 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -582,7 +582,7 @@ class UrlHelperTest < ActiveSupport::TestCase self.request_forgery end - def form_authenticity_token + def form_authenticity_token(*args) "secret" end |