From a58db74c4feda7b8e2a02882c030b252d6fa8611 Mon Sep 17 00:00:00 2001 From: Genadi Samokovarov Date: Wed, 26 Dec 2018 21:10:37 +0200 Subject: Don't expect defined protect_against_forgery? in {token,csrf_meta}_tag The `#csrf_meta_tags` and `#token_tag` Action View helper methods are expecting the class in which are included to explicitly define the method `#protect_against_forgery?` or else they will fail with `NoMethodError`. This is a problem if you want to use Action View outside of Rails applications. For example, in #34788 I used the `#button_to` helper inside of the error pages templates that have a custom `ActionView::Base` subclass, which did not defined `#protect_against_forgery?` and trying to call the button failed. I had to dig inside of Action View to find-out what's was going on. I think we should either set a default method implementation in the helpers or check for the method definition, but don't explicitly require the presence of `#protect_against_forgery?` in every `ActionViews::Base` subclass as the errors are hard to figure out. --- actionview/CHANGELOG.md | 8 ++-- actionview/lib/action_view/helpers/csrf_helper.rb | 2 +- actionview/lib/action_view/helpers/url_helper.rb | 2 +- actionview/test/template/csrf_helper_test.rb | 46 +++++++++++++++++++++++ actionview/test/template/url_helper_test.rb | 10 +++++ 5 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 actionview/test/template/csrf_helper_test.rb diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index df4036a5a7..36f10958b6 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,9 +1,13 @@ +* Fix the need of `#protect_against_forgery?` method defined in + `ActionView::Base` subclasses. This prevents the use of forms and buttons. + + *Genadi Samokovarov* + * Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms. Fixes #33889 *Wolfgang Hobmaier* - * Prevent non-primary mouse keys from triggering Rails UJS click handlers. Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks. For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur. @@ -16,7 +20,6 @@ *Wolfgang Hobmaier* - * Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines. For example, given input like this: @@ -34,7 +37,6 @@ *Lyle Mullican* - * Add allocations to template rendering instrumentation. Adds the allocations for template and partial rendering to the server output on render. diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb index 69c59844a6..c0422c6ff5 100644 --- a/actionview/lib/action_view/helpers/csrf_helper.rb +++ b/actionview/lib/action_view/helpers/csrf_helper.rb @@ -20,7 +20,7 @@ module ActionView # "X-CSRF-Token" HTTP header. If you are using rails-ujs this happens automatically. # def csrf_meta_tags - if protect_against_forgery? + if defined?(protect_against_forgery?) && protect_against_forgery? [ tag("meta", name: "csrf-param", content: request_forgery_protection_token), tag("meta", name: "csrf-token", content: form_authenticity_token) diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 948dd1551f..d63ada3890 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -618,7 +618,7 @@ module ActionView end def token_tag(token = nil, form_options: {}) - if token != false && protect_against_forgery? + if token != false && defined?(protect_against_forgery?) && protect_against_forgery? token ||= form_authenticity_token(form_options: form_options) tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token) else diff --git a/actionview/test/template/csrf_helper_test.rb b/actionview/test/template/csrf_helper_test.rb new file mode 100644 index 0000000000..dd9821eb6c --- /dev/null +++ b/actionview/test/template/csrf_helper_test.rb @@ -0,0 +1,46 @@ +# frozen_string_literal: true + +require "abstract_unit" + +class CsrfHelperTest < ActiveSupport::TestCase + cattr_accessor :request_forgery, default: false + + include ActionView::Helpers::CsrfHelper + include ActionView::Helpers::TagHelper + include Rails::Dom::Testing::Assertions::DomAssertions + + def test_csrf_meta_tags_without_request_forgery_protection + assert_dom_equal "", csrf_meta_tags + end + + def test_csrf_meta_tags_with_request_forgery_protection + self.request_forgery = true + + assert_dom_equal <<~DOM.chomp, csrf_meta_tags + + + DOM + ensure + self.request_forgery = false + end + + def test_csrf_meta_tags_without_protect_against_forgery_method + self.class.undef_method(:protect_against_forgery?) + + assert_dom_equal "", csrf_meta_tags + ensure + self.class.define_method(:protect_against_forgery?) { request_forgery } + end + + def protect_against_forgery? + request_forgery + end + + def form_authenticity_token(*args) + "secret" + end + + def request_forgery_protection_token + "form_token" + end +end diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 1ab28e4749..632b32f09f 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -119,6 +119,16 @@ class UrlHelperTest < ActiveSupport::TestCase ) end + def test_button_to_without_protect_against_forgery_method + self.class.undef_method(:protect_against_forgery?) + assert_dom_equal( + %{
}, + button_to("Hello", "http://www.example.com") + ) + ensure + self.class.define_method(:protect_against_forgery?) { request_forgery } + end + def test_button_to_with_straight_url assert_dom_equal %{
}, button_to("Hello", "http://www.example.com") end -- cgit v1.2.3