diff options
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 30 | ||||
| -rw-r--r-- | actionpack/test/controller/routing_test.rb | 4 |
2 files changed, 33 insertions, 1 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 521d93f02e..4d441ab1a9 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -163,6 +163,13 @@ class PerFormTokensController < ActionController::Base end end +class SkipProtectionController < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery with: :exception + skip_forgery_protection if: :skip_requested + attr_accessor :skip_requested +end + # common test methods module RequestForgeryProtectionTests def setup @@ -964,3 +971,26 @@ class PerFormTokensControllerTest < ActionController::TestCase assert_equal expected, actual end end + +class SkipProtectionControllerTest < ActionController::TestCase + def test_should_not_allow_post_without_token_when_not_skipping + @controller.skip_requested = false + assert_blocked { post :index } + end + + def test_should_allow_post_without_token_when_skipping + @controller.skip_requested = true + assert_not_blocked { post :index } + end + + def assert_blocked + assert_raises(ActionController::InvalidAuthenticityToken) do + yield + end + end + + def assert_not_blocked + assert_nothing_raised { yield } + assert_response :success + end +end diff --git a/actionpack/test/controller/routing_test.rb b/actionpack/test/controller/routing_test.rb index 56b39510bb..fefb84e095 100644 --- a/actionpack/test/controller/routing_test.rb +++ b/actionpack/test/controller/routing_test.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require "abstract_unit" require "controller/fake_controllers" require "active_support/core_ext/object/with_options" @@ -656,7 +658,7 @@ class LegacyRouteSetTests < ActiveSupport::TestCase assert_equal "/page/foo", url_for(rs, controller: "content", action: "show_page", id: "foo") assert_equal({ controller: "content", action: "show_page", id: "foo" }, rs.recognize_path("/page/foo")) - token = "\321\202\320\265\320\272\321\201\321\202" # 'text' in Russian + token = "\321\202\320\265\320\272\321\201\321\202".dup # 'text' in Russian token.force_encoding(Encoding::BINARY) escaped_token = CGI::escape(token) |