From 8366cabd652a5fbb56fc0942614fbc965e7e45ed Mon Sep 17 00:00:00 2001 From: David Lee Date: Mon, 9 May 2011 16:17:38 -0700 Subject: Test csrf token param name customization --- .../controller/request_forgery_protection_test.rb | 25 ++++++++++++++++------ railties/test/application/configuration_test.rb | 17 +++++++++++++-- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 31f4bf3a76..dea80ed887 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -81,22 +81,25 @@ module RequestForgeryProtectionTests @token = "cf50faa3fe97702ca1ae" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) - ActionController::Base.request_forgery_protection_token = :authenticity_token + ActionController::Base.request_forgery_protection_token = :custom_authenticity_token end + def teardown + ActionController::Base.request_forgery_protection_token = nil + end def test_should_render_form_with_token_tag assert_not_blocked do get :index end - assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token + assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token end def test_should_render_button_to_with_token_tag assert_not_blocked do get :show_button end - assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token + assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token end def test_should_allow_get @@ -128,15 +131,15 @@ module RequestForgeryProtectionTests end def test_should_allow_post_with_token - assert_not_blocked { post :index, :authenticity_token => @token } + assert_not_blocked { post :index, :custom_authenticity_token => @token } end def test_should_allow_put_with_token - assert_not_blocked { put :index, :authenticity_token => @token } + assert_not_blocked { put :index, :custom_authenticity_token => @token } end def test_should_allow_delete_with_token - assert_not_blocked { delete :index, :authenticity_token => @token } + assert_not_blocked { delete :index, :custom_authenticity_token => @token } end def test_should_allow_post_with_token_in_header @@ -172,10 +175,18 @@ end class RequestForgeryProtectionControllerTest < ActionController::TestCase include RequestForgeryProtectionTests + setup do + ActionController::Base.request_forgery_protection_token = :custom_authenticity_token + end + + teardown do + ActionController::Base.request_forgery_protection_token = nil + end + test 'should emit a csrf-param meta tag and a csrf-token meta tag' do ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?') get :meta - assert_select 'meta[name=?][content=?]', 'csrf-param', 'authenticity_token' + assert_select 'meta[name=?][content=?]', 'csrf-param', 'custom_authenticity_token' assert_select 'meta[name=?][content=?]', 'csrf-token', 'cf50faa3fe97702ca1ae<=?' end end diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 6193e72625..43876c0a72 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -225,8 +225,6 @@ module ApplicationTests make_basic_app class ::OmgController < ActionController::Base - protect_from_forgery - def index render :inline => "<%= csrf_meta_tags %>" end @@ -236,6 +234,21 @@ module ApplicationTests assert last_response.body =~ /csrf\-param/ end + test "request forgery token param can be changed" do + make_basic_app do + app.config.action_controller.request_forgery_protection_token = '_xsrf_token_here' + end + + class ::OmgController < ActionController::Base + def index + render :inline => "<%= csrf_meta_tags %>" + end + end + + get "/" + assert last_response.body =~ /_xsrf_token_here/ + end + test "config.action_controller.perform_caching = true" do make_basic_app do |app| app.config.action_controller.perform_caching = true -- cgit v1.2.3