diff options
| -rw-r--r-- | actionpack/lib/action_view/helpers/form_helper.rb | 9 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 4 |
2 files changed, 7 insertions, 6 deletions
diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb index 408a3b6721..d30fd248c1 100644 --- a/actionpack/lib/action_view/helpers/form_helper.rb +++ b/actionpack/lib/action_view/helpers/form_helper.rb @@ -304,16 +304,15 @@ module ActionView # When you build forms to external resources sometimes you need to set an authenticity token or just render a form # without it, for example when you submit data to a payment gateway number and types of fields could be limited. # - # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter in the <tt>:html</tt> - # options section: + # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter # - # <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f| + # <%= form_for @invoice, :url => external_url, :authenticity_token => 'external_token' do |f| # ... # <% end %> # # If you don't want to an authenticity token field be rendered at all just pass <tt>false</tt>: # - # <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f| + # <%= form_for @invoice, :url => external_url, :authenticity_token => false do |f| # ... # <% end %> def form_for(record, options = {}, &proc) @@ -332,6 +331,8 @@ module ActionView end options[:html][:remote] = options.delete(:remote) + options[:html][:authenticity_token] = options.delete(:authenticity_token) + builder = options[:parent_builder] = instantiate_builder(object_name, object, options, &proc) fields_for = fields_for(object_name, object, options, &proc) default_options = builder.multipart? ? { :multipart => true } : {} diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 4f4de0cbee..68d4c6a57c 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -29,11 +29,11 @@ module RequestForgeryProtectionActions end def external_form_for - render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>" + render :inline => "<%= form_for(:some_resource, :authenticity_token => 'external_token') {} %>" end def form_for_without_protection - render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>" + render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>" end def rescue_action(e) raise e end |