From 7fb99e5743d88c04357e09960d112376428a6faa Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Fri, 2 Sep 2011 08:22:29 -0700 Subject: Change log level for CSRF token verification warning --- actionpack/lib/action_controller/metal/request_forgery_protection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 4d016271ea..bc22e39efb 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -74,7 +74,7 @@ module ActionController #:nodoc: # The actual before_filter that is used. Modify this to change how you handle unverified requests. def verify_authenticity_token unless verified_request? - logger.debug "WARNING: Can't verify CSRF token authenticity" if logger + logger.warn "WARNING: Can't verify CSRF token authenticity" if logger handle_unverified_request end end -- cgit v1.2.3 From 538fb18dead05760e76587fd53f04ae03dd2ab63 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 10 Sep 2011 09:51:55 -0700 Subject: Add test for warning and CHANGELOG entry --- actionpack/CHANGELOG | 2 ++ .../test/controller/request_forgery_protection_test.rb | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 82dfc625a6..9510a61c90 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *Rails 3.2.0 (unreleased)* +* Changed log level of warning for missing CSRF token from :debug to :warn. Fixes #2972 [Mike Dillon] + * content_tag_for and div_for can now take the collection of records. It will also yield the record as the first argument if you set a receiving argument in your block [Prem Sichanugrist] So instead of having to do this: diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index d94db7f5fb..7a0b724387 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -1,6 +1,7 @@ require 'abstract_unit' require 'digest/sha1' require 'active_support/core_ext/string/strip' +require "active_support/log_subscriber/test_helper" # common controller actions module RequestForgeryProtectionActions @@ -157,6 +158,21 @@ module RequestForgeryProtectionTests assert_not_blocked { put :index } end + def test_should_warn_on_missing_csrf_token + old_logger = ActionController::Base.logger + logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new + ActionController::Base.logger = logger + + begin + assert_blocked { post :index } + + assert_equal 1, logger.logged(:warn).size + assert_match(/CSRF token authenticity/, logger.logged(:warn).last) + rescue + ActionController::Base.logger = old_logger + end + end + def assert_blocked session[:something_like_user_id] = 1 yield -- cgit v1.2.3 From e7e6515146322c4e5feba61c8365458df4b9fd67 Mon Sep 17 00:00:00 2001 From: Mike Dillon Date: Sat, 10 Sep 2011 09:54:57 -0700 Subject: Fix changelog entry --- actionpack/CHANGELOG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 9510a61c90..b757df6f22 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,6 +1,6 @@ *Rails 3.2.0 (unreleased)* -* Changed log level of warning for missing CSRF token from :debug to :warn. Fixes #2972 [Mike Dillon] +* Changed log level of warning for missing CSRF token from :debug to :warn. [Mike Dillon] * content_tag_for and div_for can now take the collection of records. It will also yield the record as the first argument if you set a receiving argument in your block [Prem Sichanugrist] -- cgit v1.2.3