diff options
Diffstat (limited to 'actionpack/lib/action_controller')
| -rwxr-xr-x | actionpack/lib/action_controller/base.rb | 5 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/request_forgery_protection.rb | 14 |
2 files changed, 15 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index fd7e9e5244..9ac728e96a 100755 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -328,8 +328,11 @@ module ActionController #:nodoc: cattr_accessor :resource_action_separator # Sets the token parameter name for RequestForgery. Calling #protect_from_forgery sets it to :authenticity_token by default - @@request_forgery_protection_token = nil cattr_accessor :request_forgery_protection_token + + # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode. + class_inheritable_accessor :allow_forgery_protection + self.allow_forgery_protection = true # Holds the request object that's primarily used to get environment variables through access like # <tt>request.env["REQUEST_URI"]</tt>. diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 803782113d..3a7eb789c4 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -8,6 +8,7 @@ module ActionController #:nodoc: class_inheritable_accessor :request_forgery_protection_options self.request_forgery_protection_options = {} helper_method :form_authenticity_token + helper_method :protect_against_forgery? end base.extend(ClassMethods) end @@ -48,6 +49,9 @@ module ActionController #:nodoc: # # # uses one of the other session stores that uses a session_id value. # protect_from_forgery :secret => 'my-little-pony', :except => :index + # + # # you can disable csrf protection on controller-by-controller basis: + # skip_before_filter :verify_authenticity_token # end # # Valid Options: @@ -75,9 +79,9 @@ module ActionController #:nodoc: # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given _token value from the params? def verified_request? - request_forgery_protection_token.nil? || - request.method == :get || - !verifiable_request_format? || + !protect_against_forgery? || + request.method == :get || + !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end @@ -110,5 +114,9 @@ module ActionController #:nodoc: session[:csrf_id] ||= CGI::Session.generate_unique_id session.dbman.generate_digest(session[:csrf_id]) end + + def protect_against_forgery? + allow_forgery_protection && request_forgery_protection_token + end end end
\ No newline at end of file |