6 files changed, 51 insertions, 15 deletions

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index d7552e74e1..465d19e50d 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,12 +1,26 @@
 ## Rails 3.2.3 (unreleased) ##
 
+*   Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value *DHH*
+
 *   Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
     check that info. Closes #5245. *Santiago Pastorino*
 
 *   Fix #5238, rendered_format is not set when template is not rendered. *Piotr Sarnacki*
 
+*   Upgrade rack-cache to 1.2. *José Valim*
+
+*   ActionController::SessionManagement is deprecated. *Santiago Pastorino*
+
+*   Since the router holds references to many parts of the system like engines, controllers and the application itself, inspecting the route set can actually be really slow, therefore we default alias inspect to to_s. *José Valim*
+
+*   Add a new line after the textarea opening tag. Closes #393 *Rafael Mendonça França*
+
+*   Always pass a respond block from to responder. We should let the responder to decide what to do with the given overridden response block, and not short circuit it. *sikachu*
+
+*   Fixes layout rendering regression from 3.2.2. *José Valim*
+
 
-## Rails 3.2.2 (unreleased) ##
+## Rails 3.2.2 (March 1, 2012) ##
 
 *   Format lookup for partials is derived from the format in which the template is being rendered. Closes #5025 part 2 *Santiago Pastorino*
 
diff --git a/actionpack/lib/abstract_controller/layouts.rb b/actionpack/lib/abstract_controller/layouts.rb
index cb3b793418..c482062592 100644
--- a/actionpack/lib/abstract_controller/layouts.rb
+++ b/actionpack/lib/abstract_controller/layouts.rb
@@ -237,8 +237,7 @@ module AbstractController
       #
       # If the specified layout is a:
       # String:: the String is the template name
-      # Symbol:: call the method specified by the symbol, which will return
-      #   the template name
+      # Symbol:: call the method specified by the symbol, which will return the template name
       # false::  There is no layout
       # true::   raise an ArgumentError
       # nil::    Force default layout behavior with inheritance
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index 7470897659..c985a8ca10 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -483,11 +483,6 @@ module ActionController
         end
       end
 
-      # Cause the action to be rescued according to the regular rules for rescue_action when the visitor is not local
-      def rescue_action_in_public!
-        @request.remote_addr = '208.77.188.166' # example.com
-      end
-
       included do
         include ActionController::TemplateAssertions
         include ActionDispatch::Assertions
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index e3ad96ec1b..4ce878f26a 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -27,7 +27,9 @@ module ActionView
       #   is added to simulate the verb over post.
       # * <tt>:authenticity_token</tt> - Authenticity token to use in the form. Use only if you need to
       #   pass custom authenticity token string, or to not add authenticity_token field at all
-      #   (by passing <tt>false</tt>).
+      #   (by passing <tt>false</tt>). If this is a remote form, the authenticity_token will by default
+      #   not be included as the ajax handler will get it from the meta-tag (but you can force it to be
+      #   rendered anyway in that case by passing <tt>true</tt>).
       # * A list of parameters to feed to the URL the form will be posted to.
       # * <tt>:remote</tt> - If set to true, will allow the Unobtrusive JavaScript drivers to control the
       #   submit behavior. By default this behavior is an ajax submit.
@@ -609,8 +611,17 @@ module ActionView
             # responsibility of the caller to escape all the values.
             html_options["action"]  = url_for(url_for_options)
             html_options["accept-charset"] = "UTF-8"
+            
             html_options["data-remote"] = true if html_options.delete("remote")
-            html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
+
+            if html_options["data-remote"] && html_options["authenticity_token"] == true
+              # Include the default authenticity_token, which is only generated when its set to nil,
+              # but we needed the true value to override the default of no authenticity_token on data-remote.
+              html_options["authenticity_token"] = nil
+            elsif html_options["data-remote"]
+              # The authenticity token is taken from the meta tag in this case
+              html_options["authenticity_token"] = false
+            end
           end
         end
 
diff --git a/actionpack/test/controller/base_test.rb b/actionpack/test/controller/base_test.rb
index 6f76ab9596..145ef12b94 100644
--- a/actionpack/test/controller/base_test.rb
+++ b/actionpack/test/controller/base_test.rb
@@ -153,8 +153,6 @@ class PerformActionTest < ActionController::TestCase
     @request     = ActionController::TestRequest.new
     @response    = ActionController::TestResponse.new
     @request.host = "www.nextangle.com"
-
-    rescue_action_in_public!
   end
 
   def test_process_should_be_precise
@@ -206,7 +204,6 @@ class UrlOptionsTest < ActionController::TestCase
   def setup
     super
     @request.host = 'www.example.com'
-    rescue_action_in_public!
   end
 
   ##
@@ -306,7 +303,6 @@ class DefaultUrlOptionsTest < ActionController::TestCase
   def setup
     super
     @request.host = 'www.example.com'
-    rescue_action_in_public!
   end
 
   def test_default_url_options_override
@@ -357,7 +353,6 @@ class EmptyUrlOptionsTest < ActionController::TestCase
   def setup
     super
     @request.host = 'www.example.com'
-    rescue_action_in_public!
   end
 
   def test_ensure_url_for_works_as_expected_when_called_with_no_options_if_default_url_options_is_not_set
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index fd5a41a0bb..37b9de350b 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -37,6 +37,14 @@ module RequestForgeryProtectionActions
     render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
   end
 
+  def form_for_remote
+    render :inline => "<%= form_for(:some_resource, :remote => true ) {} %>"
+  end
+
+  def form_for_remote_with_token
+    render :inline => "<%= form_for(:some_resource, :remote => true, :authenticity_token => true ) {} %>"
+  end
+
   def rescue_action(e) raise e end
 end
 
@@ -103,6 +111,20 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
   end
 
+  def test_should_render_form_without_token_tag_if_remote
+    assert_not_blocked do
+      get :form_for_remote
+    end
+    assert_no_match /authenticity_token/, response.body
+  end
+
+  def test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested
+    assert_not_blocked do
+      get :form_for_remote_with_token
+    end
+    assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
+  end
+
   def test_should_allow_get
     assert_not_blocked { get :index }
   end