2 files changed, 45 insertions, 108 deletions

diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 96e4fdda48..490b2c1215 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -201,7 +201,12 @@ module ActionView
         end
 
         form_method = method.to_s == 'get' ? 'get' : 'post'
-
+        
+        request_token_tag = ''
+        if form_method == 'post' && request_forgery_protection_token
+          request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
+        end
+        
         if confirm = html_options.delete("confirm")
           html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
         end
@@ -212,7 +217,7 @@ module ActionView
         html_options.merge!("type" => "submit", "value" => name)
 
         "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" +
-          method_tag + tag("input", html_options) + "</div></form>"
+          method_tag + tag("input", html_options) + request_token_tag + "</div></form>"
       end
 
 
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 98ca44c8cb..a9b674405d 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -4,42 +4,21 @@ ActionController::Routing::Routes.draw do |map|
   map.connect ':controller/:action/:id'
 end
 
-class RequestForgeryProtectionController < ActionController::Base
-  protect_from_forgery :only => :index, :secret => 'abc'
-
-  def index
-    render :inline => "<%= form_tag('/') {} %>"
-  end
-  
-  def unsafe
-    render :text => 'pwn'
-  end
-  
-  def rescue_action(e) raise e end
-end
-
-class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
-  def setup
-    @controller = RequestForgeryProtectionController.new
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
-    class << @request.session
-      def session_id() '123' end
-    end
-    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
-    ActionController::Base.request_forgery_protection_token = :authenticity_token
-  end
-  
+module RequestForgeryProtectionTests
   def teardown
     ActionController::Base.request_forgery_protection_token = nil
   end
-
+  
   def test_should_render_form_with_token_tag
     get :index
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
+  
+  def test_should_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end
 
-  # Replace this with your real tests.
   def test_should_allow_get
     get :index
     assert_response :success
@@ -105,14 +84,15 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
   end
 end
 
-# no token is given, assume the cookie store is used
-class CsrfCookieMonsterController < ActionController::Base
-  protect_from_forgery :only => :index
-
+module RequestForgeryProtectionActions
   def index
     render :inline => "<%= form_tag('/') {} %>"
   end
   
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+  
   def unsafe
     render :text => 'pwn'
   end
@@ -120,6 +100,31 @@ class CsrfCookieMonsterController < ActionController::Base
   def rescue_action(e) raise e end
 end
 
+class RequestForgeryProtectionController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index, :secret => 'abc'
+end
+
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = RequestForgeryProtectionController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index
+end
+
 class FakeSessionDbMan
   def self.generate_digest(data)
     Digest::SHA1.hexdigest("secure")
@@ -127,6 +132,7 @@ class FakeSessionDbMan
 end
 
 class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
   def setup
     @controller = CsrfCookieMonsterController.new
     @request    = ActionController::TestRequest.new
@@ -139,79 +145,5 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
     @token = Digest::SHA1.hexdigest("secure")
     ActionController::Base.request_forgery_protection_token = :authenticity_token
   end
-  
-  def teardown
-    ActionController::Base.request_forgery_protection_token = nil
-  end
-
-  def test_should_render_form_with_token_tag
-    get :index
-    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
-  end
-
-  # Replace this with your real tests.
-  def test_should_allow_get
-    get :index
-    assert_response :success
-  end
-  
-  def test_should_allow_post_without_token_on_unsafe_action
-    post :unsafe
-    assert_response :success
-  end
-  
-  def test_should_not_allow_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
-  end
-  
-  def test_should_not_allow_put_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
-  end
-  
-  def test_should_not_allow_delete_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
-  end
-  
-  def test_should_not_allow_xhr_post_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
-  end
-  
-  def test_should_not_allow_xhr_put_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
-  end
-  
-  def test_should_not_allow_xhr_delete_without_token
-    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
-  end
-  
-  def test_should_allow_post_with_token
-    post :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_put_with_token
-    put :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_delete_with_token
-    delete :index, :authenticity_token => @token
-    assert_response :success
-  end
-  
-  def test_should_allow_post_with_xml
-    post :index, :format => 'xml'
-    assert_response :success
-  end
-  
-  def test_should_allow_put_with_xml
-    put :index, :format => 'xml'
-    assert_response :success
-  end
-  
-  def test_should_allow_delete_with_xml
-    delete :index, :format => 'xml'
-    assert_response :success
-  end
 end