From 7f53dca1a13e21ec4400a765f637b73c0f194979 Mon Sep 17 00:00:00 2001 From: Carlhuda Date: Fri, 19 Mar 2010 11:09:41 -0700 Subject: Fix protect_against_forgery --- actionpack/lib/action_controller/railtie.rb | 4 +++- railties/test/application/configuration_test.rb | 27 +++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb index 6a3afbb157..2626a31fc2 100644 --- a/actionpack/lib/action_controller/railtie.rb +++ b/actionpack/lib/action_controller/railtie.rb @@ -52,7 +52,9 @@ module ActionController ac.stylesheets_dir = paths.public.stylesheets.to_a.first ac.secret = app.config.cookie_secret - ActionController.base_hook { self.config.replace(ac) } + ActionController.base_hook do + self.config.merge!(ac) + end end initializer "action_controller.initialize_framework_caches" do diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 54cd751f4e..1b6c657d6d 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -228,5 +228,32 @@ module ApplicationTests get "/" assert_equal File.expand_path(__FILE__), last_response.headers["X-Lighttpd-Send-File"] end + + test "protect from forgery is the default in a new app" do + require "rails" + require "action_controller/railtie" + + class MyApp < Rails::Application + config.session_store :disabled + + routes.draw do + match "/" => "omg#index" + end + + class ::OmgController < ActionController::Base + protect_from_forgery + + def index + render :inline => "<%= csrf_meta_tag %>" + end + end + end + + require 'rack/test' + extend Rack::Test::Methods + + get "/" + assert last_response.body =~ /csrf\-param/ + end end end -- cgit v1.2.3