diff options
Diffstat (limited to 'actionpack/lib/action_controller')
4 files changed, 31 insertions, 13 deletions
diff --git a/actionpack/lib/action_controller/base/request_forgery_protection.rb b/actionpack/lib/action_controller/base/request_forgery_protection.rb index 3067122ceb..0a0e20e1f1 100644 --- a/actionpack/lib/action_controller/base/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb @@ -3,12 +3,26 @@ module ActionController #:nodoc: end module RequestForgeryProtection - def self.included(base) - base.class_eval do - helper_method :form_authenticity_token - helper_method :protect_against_forgery? + extend ActiveSupport::DependencyModule + + # TODO : Remove the defined? check when new base is the main base + if defined?(ActionController::Http) + depends_on AbstractController::Helpers, Session + end + + included do + if defined?(ActionController::Http) + # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+ + # sets it to <tt>:authenticity_token</tt> by default. + cattr_accessor :request_forgery_protection_token + + # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode. + class_inheritable_accessor :allow_forgery_protection + self.allow_forgery_protection = true end - base.extend(ClassMethods) + + helper_method :form_authenticity_token + helper_method :protect_against_forgery? end # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a diff --git a/actionpack/lib/action_controller/new_base.rb b/actionpack/lib/action_controller/new_base.rb index 8bc15d2450..93c54174b7 100644 --- a/actionpack/lib/action_controller/new_base.rb +++ b/actionpack/lib/action_controller/new_base.rb @@ -25,8 +25,9 @@ module ActionController autoload :UrlRewriter, 'action_controller/routing/generation/url_rewriter' autoload :UrlWriter, 'action_controller/routing/generation/url_rewriter' - autoload :Verification, 'action_controller/base/verification' - autoload :Flash, 'action_controller/base/chained/flash' + autoload :Verification, 'action_controller/base/verification' + autoload :Flash, 'action_controller/base/chained/flash' + autoload :RequestForgeryProtection, 'action_controller/base/request_forgery_protection' require 'action_controller/routing' end diff --git a/actionpack/lib/action_controller/new_base/base.rb b/actionpack/lib/action_controller/new_base/base.rb index a419a80b6a..3d8f785280 100644 --- a/actionpack/lib/action_controller/new_base/base.rb +++ b/actionpack/lib/action_controller/new_base/base.rb @@ -14,10 +14,6 @@ module ActionController include ActionController::Layouts include ActionController::ConditionalGet - include ActionController::Session - include ActionController::Flash - include ActionController::Verification - # Legacy modules include SessionManagement include ActionDispatch::StatusCodes @@ -27,6 +23,11 @@ module ActionController # Rails 2.x compatibility include ActionController::Rails2Compatibility + include ActionController::Session + include ActionController::Flash + include ActionController::Verification + include ActionController::RequestForgeryProtection + # TODO: Extract into its own module # This should be moved together with other normalizing behavior module ImplicitRender diff --git a/actionpack/lib/action_controller/new_base/compatibility.rb b/actionpack/lib/action_controller/new_base/compatibility.rb index 9b85b39052..522a9fe23b 100644 --- a/actionpack/lib/action_controller/new_base/compatibility.rb +++ b/actionpack/lib/action_controller/new_base/compatibility.rb @@ -1,7 +1,10 @@ module ActionController module Rails2Compatibility extend ActiveSupport::DependencyModule - + + class ::ActionController::ActionControllerError < StandardError #:nodoc: + end + # Temporary hax included do ::ActionController::UnknownAction = ::AbstractController::ActionNotFound @@ -65,7 +68,6 @@ module ActionController end module ClassMethods - def protect_from_forgery() end def consider_all_requests_local() end def rescue_action(env) raise env["action_dispatch.rescue.exception"] |