Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | code gardening: we have assert_(nil|blank|present), more concise, with ↵ | Xavier Noria | 2010-08-17 | 1 | -1/+1 |
| | | | | better default failure messages - let's use them | ||||
* | Test that csrf meta content is html-escaped, too | Jeremy Kemper | 2010-02-04 | 1 | -1/+2 |
| | |||||
* | Revert dumb test | Jeremy Kemper | 2010-02-04 | 1 | -2/+2 |
| | |||||
* | HTML-escape csrf meta contents | Jeremy Kemper | 2010-02-04 | 1 | -2/+2 |
| | |||||
* | Expose CSRF param name also | Jeremy Kemper | 2010-02-04 | 1 | -1/+1 |
| | |||||
* | Expose CSRF tag for UJS adapters | Jeremy Kemper | 2010-02-04 | 1 | -1/+15 |
| | |||||
* | Move form_remote_tag and remote_form_for into prototype_legacy_helper | Joshua Peek | 2010-01-30 | 1 | -27/+18 |
| | |||||
* | Fix test bleed | Jeremy Kemper | 2009-11-18 | 1 | -1/+1 |
| | |||||
* | Extract form_authenticity_param instance method so it's overridable in ↵ | Jeremy Kemper | 2009-11-17 | 1 | -1/+19 |
| | | | | subclasses | ||||
* | Cleanup route reloading in tests. Prefer with_routing over using ↵ | Joshua Peek | 2009-08-16 | 1 | -5/+1 |
| | | | | ActionController::Routing::Routes directly | ||||
* | Don't check authenticity tokens for any AJAX requests | Ross Kaffenburger and Bryan Helmkamp | 2009-04-15 | 1 | -5/+6 |
| | |||||
* | Ruby 1.9 compat: rename deprecated assert_raises to assert_raise. | Jeremy Kemper | 2009-03-08 | 1 | -9/+9 |
| | | | | [#1617 state:resolved] | ||||
* | Change the forgery token implementation to just be a simple random string. | Michael Koziarski | 2008-11-23 | 1 | -87/+6 |
| | | | | This deprecates the use of :secret and :digest which were only needed when we were hashing session ids. | ||||
* | Merge branch 'master' into testing | Jeremy Kemper | 2008-11-15 | 1 | -52/+66 |
|\ | |||||
| * | Changed request forgery protection to only worry about HTML-formatted ↵ | Jeff Cohen | 2008-11-13 | 1 | -52/+66 |
| | | | | | | | | | | | | content requests. Signed-off-by: Michael Koziarski <michael@koziarski.com> | ||||
* | | Move controller assertions from base TestCase to AC:: and AV::TestCase | Jeremy Kemper | 2008-11-07 | 1 | -5/+5 |
|/ | |||||
* | Merge branch 'master' of git@github.com:rails/rails | rick | 2008-05-13 | 1 | -0/+24 |
|\ | |||||
| * | Bug: Earlier Check for Session in Forgery Protection | Peter Jones | 2008-05-11 | 1 | -0/+24 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The session is used by the form_authenticity_token method before it is tested to be valid. This patch moves a few lines around so that the session is validated first. Without this patch, if you try to use forgery protection with sessions turned off, you get this exception message: undefined method `session_id' for {}:Hash The patch includes a test that can be used to see this behavior before the request_forgery_protection.rb file is patched to fix it. | ||||
* | | change ActionController::RequestForgeryProtection to use ↵ | rick | 2008-05-06 | 1 | -3/+45 |
| | | | | | | | | Mime::Type#verify_request? [#73] | ||||
* | | Change the request forgery protection to go by Content-Type instead of ↵ | rick | 2008-05-06 | 1 | -4/+25 |
|/ | | | | request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved] | ||||
* | Don't append the forgery token to an ajax request if it's serializing a ↵ | Michael Koziarski | 2008-01-08 | 1 | -0/+9 |
| | | | | | | form, prevents duplicate tokens. Closes #10684 [macournoyer] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | require abstract_unit directly since test is in load path | Jeremy Kemper | 2008-01-05 | 1 | -1/+1 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Ruby 1.9 compat, consistent load paths | Jeremy Kemper | 2007-10-02 | 1 | -1/+1 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Better error messages if you leave out the :secret option for request ↵ | Rick Olson | 2007-09-28 | 1 | -45/+74 |
| | | | | | | forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Add missing require | Michael Koziarski | 2007-09-28 | 1 | -0/+1 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Allow ability to disable request forgery protection, disable it in test mode ↵ | Rick Olson | 2007-09-28 | 1 | -0/+38 |
| | | | | | | by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Protect button_to behind protect_from_forgery (closes #9675) [lifo] | David Heinemeier Hansson | 2007-09-25 | 1 | -106/+38 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Change from InvalidToken to InvalidAuthenticityToken to be more specific | David Heinemeier Hansson | 2007-09-24 | 1 | -12/+12 |
| | | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Rename some RequestForgeryProtection methods. The class method is now ↵ | Rick Olson | 2007-09-23 | 1 | -12/+12 |
| | | | | | | #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de | ||||
* | Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model ↵ | Rick Olson | 2007-09-23 | 1 | -0/+217 |
that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de |