diff options
| author | Michael Koziarski <michael@koziarski.com> | 2006-03-14 01:57:12 +0000 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2006-03-14 01:57:12 +0000 |
| commit | c6abe81b1eebd741b2a36e6618bf6f1c07b87588 (patch) | |
| tree | e93e0fe02b650b3eb5e5a3269b445de296b8f09a /railties | |
| parent | e9d6fea533e6b6fd1d9a6024de113370fdd13926 (diff) | |
| download | rails-c6abe81b1eebd741b2a36e6618bf6f1c07b87588.tar.gz rails-c6abe81b1eebd741b2a36e6618bf6f1c07b87588.tar.bz2 rails-c6abe81b1eebd741b2a36e6618bf6f1c07b87588.zip | |
Add verification to scaffolds (generated and reflection based). Require POST for unsafe actions [Michael Koziarski]. Closes #2601
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3864 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'railties')
3 files changed, 11 insertions, 1 deletions
diff --git a/railties/CHANGELOG b/railties/CHANGELOG index 6b50897638..112d91d355 100644 --- a/railties/CHANGELOG +++ b/railties/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Add verification to generated scaffolds, don't allow get for unsafe actions [Michael Koziarski] + * Don't replace application.js in public/javascripts if it already exists [Cody Fauser] * Change test:uncommitted to delay execution of `svn status` by using internal Rake API's. [Nicholas Seckar] diff --git a/railties/lib/rails_generator/generators/components/scaffold/templates/controller.rb b/railties/lib/rails_generator/generators/components/scaffold/templates/controller.rb index ddc03e63ba..9595fcca61 100644 --- a/railties/lib/rails_generator/generators/components/scaffold/templates/controller.rb +++ b/railties/lib/rails_generator/generators/components/scaffold/templates/controller.rb @@ -11,6 +11,14 @@ class <%= controller_class_name %>Controller < ApplicationController end <% end -%> + + # GET should only be used for operations which are 'safe', or read-only. So require + # post for all actions which change state. + # + # http://www.w3.org/2001/tag/doc/whenToUseGet.html + verify :method=>:post, :only=>[:destroy<%= suffix %>, :create<%= suffix %>, :update<%= suffix %>], + :redirect_to=> {:action=>:list<%= suffix %>} + def list<%= suffix %> @<%= singular_name %>_pages, @<%= plural_name %> = paginate :<%= plural_name %>, :per_page => 10 end diff --git a/railties/lib/rails_generator/generators/components/scaffold/templates/view_list.rhtml b/railties/lib/rails_generator/generators/components/scaffold/templates/view_list.rhtml index 09d5f87cf3..2c6314f4bb 100644 --- a/railties/lib/rails_generator/generators/components/scaffold/templates/view_list.rhtml +++ b/railties/lib/rails_generator/generators/components/scaffold/templates/view_list.rhtml @@ -14,7 +14,7 @@ <%% end %> <td><%%= link_to 'Show', :action => 'show<%= suffix %>', :id => <%= singular_name %> %></td> <td><%%= link_to 'Edit', :action => 'edit<%= suffix %>', :id => <%= singular_name %> %></td> - <td><%%= link_to 'Destroy', { :action => 'destroy<%= suffix %>', :id => <%= singular_name %> }, :confirm => 'Are you sure?' %></td> + <td><%%= link_to 'Destroy', { :action => 'destroy<%= suffix %>', :id => <%= singular_name %> }, :confirm => 'Are you sure?', :post=>true %></td> </tr> <%% end %> </table> |