aboutsummaryrefslogtreecommitdiffstats
path: root/actionview
diff options
context:
space:
mode:
authorRafael França <rafaelmfranca@gmail.com>2016-01-06 02:55:10 -0200
committerRafael França <rafaelmfranca@gmail.com>2016-01-06 02:55:10 -0200
commitced9612b59d1a8fdd38ac1669cf1e6bd43220a24 (patch)
tree7538e45b68b9d25cd6903cd3eb690a1fc3dfdf43 /actionview
parent5c9a0a4a082a474a7bc0a5dabc390eea22a294ea (diff)
parent3e98819e20bc113343d4d4c0df614865ad5a9d3a (diff)
downloadrails-ced9612b59d1a8fdd38ac1669cf1e6bd43220a24.tar.gz
rails-ced9612b59d1a8fdd38ac1669cf1e6bd43220a24.tar.bz2
rails-ced9612b59d1a8fdd38ac1669cf1e6bd43220a24.zip
Merge pull request #22275 from mastahyeti/per-form-csrf
Per-form CSRF tokens
Diffstat (limited to 'actionview')
-rw-r--r--actionview/lib/action_view/helpers/form_tag_helper.rb10
-rw-r--r--actionview/lib/action_view/helpers/url_helper.rb10
-rw-r--r--actionview/test/template/url_helper_test.rb2
3 files changed, 16 insertions, 6 deletions
diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb
index 79a1a242bf..d521553481 100644
--- a/actionview/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/form_tag_helper.rb
@@ -870,10 +870,16 @@ module ActionView
''
when /^post$/i, "", nil
html_options["method"] = "post"
- token_tag(authenticity_token)
+ token_tag(authenticity_token, form_options: {
+ action: html_options["action"],
+ method: "post"
+ })
else
html_options["method"] = "post"
- method_tag(method) + token_tag(authenticity_token)
+ method_tag(method) + token_tag(authenticity_token, form_options: {
+ action: html_options["action"],
+ method: method
+ })
end
if html_options.delete("enforce_utf8") { true }
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index baebc34b4b..3a4561a083 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -311,7 +311,11 @@ module ActionView
form_options[:action] = url
form_options[:'data-remote'] = true if remote
- request_token_tag = form_method == 'post' ? token_tag : ''
+ request_token_tag = if form_method == 'post'
+ token_tag(nil, form_options: form_options)
+ else
+ ''
+ end
html_options = convert_options_to_data_attributes(options, html_options)
html_options['type'] = 'submit'
@@ -579,9 +583,9 @@ module ActionView
html_options["data-method"] = method
end
- def token_tag(token=nil)
+ def token_tag(token=nil, form_options: {})
if token != false && protect_against_forgery?
- token ||= form_authenticity_token
+ token ||= form_authenticity_token(form_options: form_options)
tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
else
''
diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb
index 784a48ed8d..89cabb8f6b 100644
--- a/actionview/test/template/url_helper_test.rb
+++ b/actionview/test/template/url_helper_test.rb
@@ -582,7 +582,7 @@ class UrlHelperTest < ActiveSupport::TestCase
self.request_forgery
end
- def form_authenticity_token
+ def form_authenticity_token(*args)
"secret"
end