diff options
| author | Sergey Nartimov <just.lest@gmail.com> | 2012-03-09 19:33:06 +0300 |
|---|---|---|
| committer | Sergey Nartimov <just.lest@gmail.com> | 2012-03-09 19:33:06 +0300 |
| commit | 245941101b1ea00a9b1af613c20b0ee994a43946 (patch) | |
| tree | a00431449c3dd935677a3fcb8728aa0dfb4b3cba /railties | |
| parent | 7638004d7d23df668ec33a3c570b7865e0d06a06 (diff) | |
| download | rails-245941101b1ea00a9b1af613c20b0ee994a43946.tar.gz rails-245941101b1ea00a9b1af613c20b0ee994a43946.tar.bz2 rails-245941101b1ea00a9b1af613c20b0ee994a43946.zip | |
configure how unverified request will be handled
can be configured using `:with` option in `protect_from_forgery` method
or `request_forgery_protection_method` config option
possible values:
- :reset_session (default)
- :exception
new applications are generated with:
protect_from_forgery :with => :exception
Diffstat (limited to 'railties')
| -rw-r--r-- | railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb | 4 | ||||
| -rw-r--r-- | railties/test/application/configuration_test.rb | 18 |
2 files changed, 17 insertions, 5 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb index e8065d9505..b3d6adad2a 100644 --- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb +++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb @@ -1,3 +1,5 @@ class ApplicationController < ActionController::Base - protect_from_forgery + # prevent CSRF attacks by raising an exception, + # if your application has an API, you'll probably need to use :reset_session + protect_from_forgery :with => :exception end diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index c9310aff87..ac5ac2b93e 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -275,19 +275,23 @@ module ApplicationTests require "#{app_path}/config/environment" + token = "cf50faa3fe97702ca1ae" + PostsController.any_instance.stubs(:form_authenticity_token).returns(token) + params = {:authenticity_token => token} + get "/posts/1" assert_match /patch/, last_response.body - patch "/posts/1" + patch "/posts/1", params assert_match /update/, last_response.body - patch "/posts/1" + patch "/posts/1", params assert_equal 200, last_response.status - put "/posts/1" + put "/posts/1", params assert_match /update/, last_response.body - put "/posts/1" + put "/posts/1", params assert_equal 200, last_response.status end @@ -528,6 +532,12 @@ module ApplicationTests end RUBY + app_file 'app/controllers/application_controller.rb', <<-RUBY + class ApplicationController < ActionController::Base + protect_from_forgery :with => :reset_session # as we are testing API here + end + RUBY + app_file 'app/controllers/posts_controller.rb', <<-RUBY class PostsController < ApplicationController def create |