4 files changed, 33 insertions, 8 deletions

diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb
index 95de595f4f..6ce78f34b5 100644
--- a/actionpack/lib/action_controller/base.rb
+++ b/actionpack/lib/action_controller/base.rb
@@ -174,8 +174,8 @@ module ActionController
     # Shortcut helper that returns all the ActionController modules except the ones passed in the argument:
     #
     #   class MetalController
-    #     ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |module|
-    #       include module
+    #     ActionController::Base.without_modules(:ParamsWrapper, :Streaming).each do |left|
+    #       include left
     #     end
     #   end
     #
diff --git a/actionpack/lib/action_controller/metal/mime_responds.rb b/actionpack/lib/action_controller/metal/mime_responds.rb
index f413a2f318..73e044a092 100644
--- a/actionpack/lib/action_controller/metal/mime_responds.rb
+++ b/actionpack/lib/action_controller/metal/mime_responds.rb
@@ -259,8 +259,12 @@ module ActionController #:nodoc:
       end
     end
 
-    # Collects mimes and return the response for the negotiated format. Returns
-    # nil if :not_acceptable was sent to the client.
+    # Returns a Collector object containing the appropriate mime-type response
+    # for the current request, based on the available responses defined by a block.
+    # In typical usage this is the block passed to +respond_with+ or +respond_to+.
+    #
+    # Sends :not_acceptable to the client and returns nil if no suitable format
+    # is available.
     #
     def retrieve_collector_from_mimes(mimes=nil, &block) #:nodoc:
       mimes ||= collect_mimes_from_class_level
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index afa9243f02..3081c14c09 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -37,6 +37,10 @@ module ActionController #:nodoc:
       config_accessor :request_forgery_protection_token
       self.request_forgery_protection_token ||= :authenticity_token
 
+      # Controls how unverified request will be handled
+      config_accessor :request_forgery_protection_method
+      self.request_forgery_protection_method ||= :reset_session
+
       # Controls whether request forgery protection is turned on or not. Turned off by default only in test mode.
       config_accessor :allow_forgery_protection
       self.allow_forgery_protection = true if allow_forgery_protection.nil?
@@ -64,8 +68,10 @@ module ActionController #:nodoc:
       # Valid Options:
       #
       # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call. Set which actions are verified.
+      # * <tt>:with</tt> - Set the method to handle unverified request. Valid values: <tt>:exception</tt> and <tt>:reset_session</tt> (default).
       def protect_from_forgery(options = {})
         self.request_forgery_protection_token ||= :authenticity_token
+        self.request_forgery_protection_method = options.delete(:with) if options.key?(:with)
         prepend_before_filter :verify_authenticity_token, options
       end
     end
@@ -80,9 +86,19 @@ module ActionController #:nodoc:
       end
 
       # This is the method that defines the application behavior when a request is found to be unverified.
-      # By default, \Rails resets the session when it finds an unverified request.
+      # By default, \Rails uses <tt>request_forgery_protection_method</tt> when it finds an unverified request:
+      #
+      # * <tt>:reset_session</tt> - Resets the session.
+      # * <tt>:exception</tt>: - Raises ActionController::InvalidAuthenticityToken exception.
       def handle_unverified_request
-        reset_session
+        case request_forgery_protection_method
+        when :exception
+          raise ActionController::InvalidAuthenticityToken
+        when :reset_session
+          reset_session
+        else
+          raise ArgumentError, 'Invalid request forgery protection method, use :exception or :reset_session'
+        end
       end
 
       # Returns true or false if a request is verified. Checks:
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index e9a3ec5a22..7af30ed690 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -56,6 +56,9 @@ module ActionController
     #   # assert that the "new" view template was rendered
     #   assert_template "new"
     #
+    #   # assert that the exact template "admin/posts/new" was rendered
+    #   assert_template %r{\Aadmin/posts/new\Z}
+    #
     #   # assert that the "_customer" partial was rendered twice
     #   assert_template :partial => '_customer', :count => 2
     #
@@ -74,11 +77,11 @@ module ActionController
       response.body
 
       case options
-      when NilClass, String, Symbol
+      when NilClass, String, Symbol, Regexp
         options = options.to_s if Symbol === options
         rendered = @templates
         msg = message || sprintf("expecting <%s> but rendering with <%s>",
-                options, rendered.keys)
+                options.inspect, rendered.keys)
         assert_block(msg) do
           if options
             rendered.any? { |t,num| t.match(options) }
@@ -121,6 +124,8 @@ module ActionController
           assert @partials.empty?,
             "Expected no partials to be rendered"
         end
+      else
+        raise ArgumentError, "assert_template only accepts a String, Symbol, Hash, Regexp, or nil"
       end
     end
   end