diff options
Diffstat (limited to 'actionpack')
-rw-r--r-- | actionpack/lib/action_view/helpers/form_helper.rb | 18 | ||||
-rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 18 |
2 files changed, 36 insertions, 0 deletions
diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb index d6edef0d34..408a3b6721 100644 --- a/actionpack/lib/action_view/helpers/form_helper.rb +++ b/actionpack/lib/action_view/helpers/form_helper.rb @@ -298,6 +298,24 @@ module ActionView # # If you don't need to attach a form to a model instance, then check out # FormTagHelper#form_tag. + # + # === Form to external resources + # + # When you build forms to external resources sometimes you need to set an authenticity token or just render a form + # without it, for example when you submit data to a payment gateway number and types of fields could be limited. + # + # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter in the <tt>:html</tt> + # options section: + # + # <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f| + # ... + # <% end %> + # + # If you don't want to an authenticity token field be rendered at all just pass <tt>false</tt>: + # + # <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f| + # ... + # <% end %> def form_for(record, options = {}, &proc) raise ArgumentError, "Missing block" unless block_given? diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 405af2a650..4f4de0cbee 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -28,6 +28,14 @@ module RequestForgeryProtectionActions render :inline => "<%= csrf_meta_tags %>" end + def external_form_for + render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>" + end + + def form_for_without_protection + render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>" + end + def rescue_action(e) raise e end end @@ -68,6 +76,16 @@ module RequestForgeryProtectionTests assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end + def test_should_render_external_form_for_with_external_token + get :external_form_for + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', 'external_token' + end + + def test_should_render_form_for_without_token_tag + get :form_for_without_protection + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false + end + def test_should_render_button_to_with_token_tag get :show_button assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token |