2 files changed, 61 insertions, 38 deletions
diff --git a/actionpack/test/controller/base_test.rb b/actionpack/test/controller/base_test.rb
index 950788743e..001493afc0 100644
--- a/actionpack/test/controller/base_test.rb
+++ b/actionpack/test/controller/base_test.rb
@@ -1,31 +1,11 @@
 require 'abstract_unit'
 require 'active_support/logger'
 require 'controller/fake_models'
-require 'pp' # require 'pp' early to prevent hidden_methods from not picking up the pretty-print methods until too late
 
 # Provide some controller to run the tests on.
 module Submodule
   class ContainedEmptyController < ActionController::Base
   end
-
-  class ContainedNonEmptyController < ActionController::Base
-    def public_action
-      render :nothing => true
-    end
-
-    hide_action :hidden_action
-    def hidden_action
-      raise "Noooo!"
-    end
-
-    def another_hidden_action
-    end
-    hide_action :another_hidden_action
-  end
-
-  class SubclassedController < ContainedNonEmptyController
-    hide_action :public_action # Hiding it here should not affect the superclass.
-  end
 end
 
 class EmptyController < ActionController::Base
@@ -35,10 +15,6 @@ class NonEmptyController < ActionController::Base
   def public_action
     render :nothing => true
   end
-
-  hide_action :hidden_action
-  def hidden_action
-  end
 end
 
 class DefaultUrlOptionsController < ActionController::Base
@@ -108,10 +84,7 @@ class ControllerInstanceTests < ActiveSupport::TestCase
   def setup
     @empty = EmptyController.new
     @contained = Submodule::ContainedEmptyController.new
-    @empty_controllers = [@empty, @contained, Submodule::SubclassedController.new]
-
-    @non_empty_controllers = [NonEmptyController.new,
-                              Submodule::ContainedNonEmptyController.new]
+    @empty_controllers = [@empty, @contained]
   end
 
   def test_performed?
@@ -124,10 +97,6 @@ class ControllerInstanceTests < ActiveSupport::TestCase
     @empty_controllers.each do |c|
       assert_equal Set.new, c.class.action_methods, "#{c.controller_path} should be empty!"
     end
-
-    @non_empty_controllers.each do |c|
-      assert_equal Set.new(%w(public_action)), c.class.action_methods, "#{c.controller_path} should not be empty!"
-    end
   end
 
   def test_temporary_anonymous_controllers
@@ -161,12 +130,6 @@ class PerformActionTest < ActionController::TestCase
     assert_equal "The action 'non_existent' could not be found for EmptyController", exception.message
   end
 
-  def test_get_on_hidden_should_fail
-    use_controller NonEmptyController
-    assert_raise(AbstractController::ActionNotFound) { get :hidden_action }
-    assert_raise(AbstractController::ActionNotFound) { get :another_hidden_action }
-  end
-
   def test_action_missing_should_work
     use_controller ActionMissingController
     get :arbitrary_action
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 3e0bfe8d14..ea2d35c3f8 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -103,6 +103,31 @@ class RequestForgeryProtectionControllerUsingNullSession < ActionController::Bas
   end
 end
 
+class PrependProtectForgeryBaseController < ActionController::Base
+  before_action :custom_action
+  attr_accessor :called_callbacks
+
+  def index
+    render inline: 'OK'
+  end
+
+  protected
+
+  def add_called_callback(name)
+    @called_callbacks ||= []
+    @called_callbacks << name
+  end
+
+
+  def custom_action
+    add_called_callback("custom_action")
+  end
+
+  def verify_authenticity_token
+    add_called_callback("verify_authenticity_token")
+  end
+end
+
 class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession
   self.allow_forgery_protection = false
 
@@ -431,6 +456,41 @@ class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::T
   end
 end
 
+class PrependProtectForgeryBaseControllerTest < ActionController::TestCase
+  PrependTrueController = Class.new(PrependProtectForgeryBaseController) do
+    protect_from_forgery prepend: true
+  end
+
+  PrependFalseController = Class.new(PrependProtectForgeryBaseController) do
+    protect_from_forgery prepend: false
+  end
+
+  PrependDefaultController = Class.new(PrependProtectForgeryBaseController) do
+    protect_from_forgery
+  end
+
+  def test_verify_authenticity_token_is_prepended
+    @controller = PrependTrueController.new
+    get :index
+    expected_callback_order = ["verify_authenticity_token", "custom_action"]
+    assert_equal(expected_callback_order, @controller.called_callbacks)
+  end
+
+  def test_verify_authenticity_token_is_not_prepended
+    @controller = PrependFalseController.new
+    get :index
+    expected_callback_order = ["custom_action", "verify_authenticity_token"]
+    assert_equal(expected_callback_order, @controller.called_callbacks)
+  end
+
+  def test_verify_authenticity_token_is_prepended_by_default
+    @controller = PrependDefaultController.new
+    get :index
+    expected_callback_order = ["verify_authenticity_token", "custom_action"]
+    assert_equal(expected_callback_order, @controller.called_callbacks)
+  end
+end
+
 class FreeCookieControllerTest < ActionController::TestCase
   def setup
     @controller = FreeCookieController.new