From 5edc81dcc2e13bdce3da01745b0d1af654342aad Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Fri, 28 Sep 2007 15:55:45 +0000
Subject: Allow ability to disable request forgery protection, disable it in
 test mode by default.  Closes #9693 [lifofifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 .../lib/action_controller/request_forgery_protection.rb    | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib/action_controller/request_forgery_protection.rb')

diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
index 803782113d..3a7eb789c4 100644
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -8,6 +8,7 @@ module ActionController #:nodoc:
         class_inheritable_accessor :request_forgery_protection_options
         self.request_forgery_protection_options = {}
         helper_method :form_authenticity_token
+        helper_method :protect_against_forgery?
       end
       base.extend(ClassMethods)
     end
@@ -48,6 +49,9 @@ module ActionController #:nodoc:
       #
       #     # uses one of the other session stores that uses a session_id value.
       #     protect_from_forgery :secret => 'my-little-pony', :except => :index
+      #
+      #     # you can disable csrf protection on controller-by-controller basis:
+      #     skip_before_filter :verify_authenticity_token
       #   end
       #
       # Valid Options:
@@ -75,9 +79,9 @@ module ActionController #:nodoc:
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given _token value from the params?
       def verified_request?
-        request_forgery_protection_token.nil? ||
-          request.method == :get              ||
-          !verifiable_request_format?         ||
+        !protect_against_forgery?     ||
+          request.method == :get      ||
+          !verifiable_request_format? ||
           form_authenticity_token == params[request_forgery_protection_token]
       end
     
@@ -110,5 +114,9 @@ module ActionController #:nodoc:
         session[:csrf_id] ||= CGI::Session.generate_unique_id
         session.dbman.generate_digest(session[:csrf_id])
       end
+      
+      def protect_against_forgery?
+        allow_forgery_protection && request_forgery_protection_token
+      end
   end
 end
\ No newline at end of file
-- 
cgit v1.2.3