aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/request_forgery_protection_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix indentation.Emilio Tagua2010-09-271-19/+18
|
* get csrf_meta_tag back to the generated layout in deference to existing ↵Xavier Noria2010-09-141-1/+1
| | | | printed material, chomp also the generated HTML to be faithful to the output before the refactor
* revises implementation and documentation of csrf_meta_tags, and aliases ↵Xavier Noria2010-09-111-2/+6
| | | | csrf_meta_tag to it for backwards compatibilty
* code gardening: we have assert_(nil|blank|present), more concise, with ↵Xavier Noria2010-08-171-1/+1
| | | | better default failure messages - let's use them
* Test that csrf meta content is html-escaped, tooJeremy Kemper2010-02-041-1/+2
|
* Revert dumb testJeremy Kemper2010-02-041-2/+2
|
* HTML-escape csrf meta contentsJeremy Kemper2010-02-041-2/+2
|
* Expose CSRF param name alsoJeremy Kemper2010-02-041-1/+1
|
* Expose CSRF tag for UJS adaptersJeremy Kemper2010-02-041-1/+15
|
* Move form_remote_tag and remote_form_for into prototype_legacy_helperJoshua Peek2010-01-301-27/+18
|
* Fix test bleedJeremy Kemper2009-11-181-1/+1
|
* Extract form_authenticity_param instance method so it's overridable in ↵Jeremy Kemper2009-11-171-1/+19
| | | | subclasses
* Cleanup route reloading in tests. Prefer with_routing over using ↵Joshua Peek2009-08-161-5/+1
| | | | ActionController::Routing::Routes directly
* Don't check authenticity tokens for any AJAX requestsRoss Kaffenburger and Bryan Helmkamp2009-04-151-5/+6
|
* Ruby 1.9 compat: rename deprecated assert_raises to assert_raise.Jeremy Kemper2009-03-081-9/+9
| | | | [#1617 state:resolved]
* Change the forgery token implementation to just be a simple random string.Michael Koziarski2008-11-231-87/+6
| | | | This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
* Merge branch 'master' into testingJeremy Kemper2008-11-151-52/+66
|\
| * Changed request forgery protection to only worry about HTML-formatted ↵Jeff Cohen2008-11-131-52/+66
| | | | | | | | | | | | content requests. Signed-off-by: Michael Koziarski <michael@koziarski.com>
* | Move controller assertions from base TestCase to AC:: and AV::TestCaseJeremy Kemper2008-11-071-5/+5
|/
* Merge branch 'master' of git@github.com:rails/railsrick2008-05-131-0/+24
|\
| * Bug: Earlier Check for Session in Forgery ProtectionPeter Jones2008-05-111-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The session is used by the form_authenticity_token method before it is tested to be valid. This patch moves a few lines around so that the session is validated first. Without this patch, if you try to use forgery protection with sessions turned off, you get this exception message: undefined method `session_id' for {}:Hash The patch includes a test that can be used to see this behavior before the request_forgery_protection.rb file is patched to fix it.
* | change ActionController::RequestForgeryProtection to use ↵rick2008-05-061-3/+45
| | | | | | | | Mime::Type#verify_request? [#73]
* | Change the request forgery protection to go by Content-Type instead of ↵rick2008-05-061-4/+25
|/ | | | request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
* Don't append the forgery token to an ajax request if it's serializing a ↵Michael Koziarski2008-01-081-0/+9
| | | | | | form, prevents duplicate tokens. Closes #10684 [macournoyer] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* require abstract_unit directly since test is in load pathJeremy Kemper2008-01-051-1/+1
| | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Ruby 1.9 compat, consistent load pathsJeremy Kemper2007-10-021-1/+1
| | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Better error messages if you leave out the :secret option for request ↵Rick Olson2007-09-281-45/+74
| | | | | | forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Add missing requireMichael Koziarski2007-09-281-0/+1
| | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Allow ability to disable request forgery protection, disable it in test mode ↵Rick Olson2007-09-281-0/+38
| | | | | | by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Protect button_to behind protect_from_forgery (closes #9675) [lifo]David Heinemeier Hansson2007-09-251-106/+38
| | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Change from InvalidToken to InvalidAuthenticityToken to be more specificDavid Heinemeier Hansson2007-09-241-12/+12
| | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Rename some RequestForgeryProtection methods. The class method is now ↵Rick Olson2007-09-231-12/+12
| | | | | | #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model ↵Rick Olson2007-09-231-0/+217
that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de