From c61900385452e50bd825f1ab5abef95bc969fadc Mon Sep 17 00:00:00 2001 From: Rick Olson Date: Sun, 23 Sep 2007 18:14:44 +0000 Subject: Rename some RequestForgeryProtection methods. The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- .../request_forgery_protection.rb | 51 +++++++++++++--------- 1 file changed, 31 insertions(+), 20 deletions(-) (limited to 'actionpack/lib/action_controller/request_forgery_protection.rb') diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 9aef1ae833..df84e33050 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -1,43 +1,43 @@ module ActionController #:nodoc: class InvalidToken < ActionControllerError; end - # Protect a controller's actions with the #verify_token method. Failure to validate will result in a ActionController::InvalidToken + # Protect a controller's actions with the #protect_from_forgery method. Failure to validate will result in a ActionController::InvalidToken # exception. Customize the error message through the use of rescue_templates and rescue_action_in_public. # # class FooController < ApplicationController # # uses the cookie session store - # verify_token :except => :index + # protect_from_forgery :except => :index # # # uses one of the other session stores that uses a session_id value. - # verify_token :secret => 'my-little-pony', :except => :index + # protect_from_forgery :secret => 'my-little-pony', :except => :index # end # # Valid Options: # # * :only/:except - passed to the before_filter call. Set which actions are verified. - # * :secret - Custom salt used to generate the form_token. Leave this off if you are using the cookie session store. + # * :secret - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store. # * :digest - Message digest used for hashing. Defaults to 'SHA1' module RequestForgeryProtection def self.included(base) base.class_eval do - class_inheritable_accessor :verify_token_options - self.verify_token_options = {} - helper_method :form_token + class_inheritable_accessor :request_forgery_protection_options + self.request_forgery_protection_options = {} + helper_method :form_authenticity_token end base.extend(ClassMethods) end module ClassMethods - def verify_token(options = {}) - self.request_forgery_protection_token ||= :_token - before_filter :verify_request_token, :only => options.delete(:only), :except => options.delete(:except) - verify_token_options.update(options) + def protect_from_forgery(options = {}) + self.request_forgery_protection_token ||= :authenticity_token + before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except) + request_forgery_protection_options.update(options) end end protected # The actual before_filter that is used. Modify this to change how you handle unverified requests. - def verify_request_token + def verify_authenticity_token verified_request? || raise(ActionController::InvalidToken) end @@ -45,9 +45,12 @@ module ActionController #:nodoc: # # * is the format restricted? By default, only HTML and AJAX requests are checked. # * is it a GET request? Gets should be safe and idempotent - # * Does the form_token match the given _token value from the params? + # * Does the form_authenticity_token match the given _token value from the params? def verified_request? - request_forgery_protection_token.nil? || request.method == :get || !verifiable_request_format? || form_token == params[request_forgery_protection_token] + request_forgery_protection_token.nil? || + request.method == :get || + !verifiable_request_format? || + form_authenticity_token == params[request_forgery_protection_token] end def verifiable_request_format? @@ -55,19 +58,27 @@ module ActionController #:nodoc: end # Sets the token value for the current session. Pass a :secret option in #verify_token to add a custom salt to the hash. - def form_token - @form_token ||= verify_token_options[:secret] ? token_from_session_id : token_from_cookie_session + def form_authenticity_token + @form_authenticity_token ||= if request_forgery_protection_options[:secret] + authenticity_token_from_session_id + else + authenticity_token_from_cookie_session + end end # Generates a unique digest using the session_id and the CSRF secret. - def token_from_session_id - key = verify_token_options[:secret].respond_to?(:call) ? verify_token_options[:secret].call(@session) : verify_token_options[:secret] - digest = verify_token_options[:digest] || 'SHA1' + def authenticity_token_from_session_id + key = if request_forgery_protection_options[:secret].respond_to?(:call) + request_forgery_protection_options[:secret].call(@session) + else + request_forgery_protection_options[:secret] + end + digest = request_forgery_protection_options[:digest] ||= 'SHA1' OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s) end # No secret was given, so assume this is a cookie session store. - def token_from_cookie_session + def authenticity_token_from_cookie_session session[:csrf_id] ||= CGI::Session.generate_unique_id session.dbman.generate_digest(session[:csrf_id]) end -- cgit v1.2.3