From a4c120f165c5a0b7976ba72638261c3342364e38 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Wed, 14 Mar 2012 19:03:39 -0400
Subject: Do not include the authenticity token in forms where remote: true as
 ajax forms use the meta-tag value

---
 actionpack/lib/action_view/helpers/form_tag_helper.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_view/helpers/form_tag_helper.rb')

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 9fad30a48f..696688a5dd 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -616,8 +616,15 @@ module ActionView
             # responsibility of the caller to escape all the values.
             html_options["action"]  = url_for(url_for_options)
             html_options["accept-charset"] = "UTF-8"
-            html_options["data-remote"] = true if html_options.delete("remote")
-            html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
+            
+            if html_options.delete("remote")
+              html_options["data-remote"] = true 
+
+              # The authenticity token is taken from the meta tag in this case
+              html_options["authenticity_token"] = false
+            else
+              html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
+            end
           end
         end
 
-- 
cgit v1.2.3