2 files changed, 36 insertions, 0 deletions

diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index d6edef0d34..408a3b6721 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -298,6 +298,24 @@ module ActionView
       #
       # If you don't need to attach a form to a model instance, then check out
       # FormTagHelper#form_tag.
+      #
+      # === Form to external resources
+      #
+      # When you build forms to external resources sometimes you need to set an authenticity token or just render a form
+      # without it, for example when you submit data to a payment gateway number and types of fields could be limited.
+      #
+      # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter in the <tt>:html</tt>
+      # options section:
+      #
+      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f|
+      #     ...
+      #   <% end %>
+      #
+      # If you don't want to an authenticity token field be rendered at all just pass <tt>false</tt>:
+      #
+      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f|
+      #     ...
+      #   <% end %>
       def form_for(record, options = {}, &proc)
         raise ArgumentError, "Missing block" unless block_given?
 
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 405af2a650..4f4de0cbee 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -28,6 +28,14 @@ module RequestForgeryProtectionActions
     render :inline => "<%= csrf_meta_tags %>"
   end
 
+  def external_form_for
+    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>"
+  end
+
+  def form_for_without_protection
+    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>"
+  end
+
   def rescue_action(e) raise e end
 end
 
@@ -68,6 +76,16 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
 
+  def test_should_render_external_form_for_with_external_token
+    get :external_form_for
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', 'external_token'
+  end
+
+  def test_should_render_form_for_without_token_tag
+    get :form_for_without_protection
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+
   def test_should_render_button_to_with_token_tag
     get :show_button
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token