From 5ef8a81b846120b51b35503f5c2079036b321630 Mon Sep 17 00:00:00 2001
From: Michael Koziarski <michael@koziarski.com>
Date: Tue, 8 Jan 2008 21:17:08 +0000
Subject: Don't append the forgery token to an ajax request if it's serializing
 a form, prevents duplicate tokens. Closes #10684 [macournoyer]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/test/controller/request_forgery_protection_test.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'actionpack/test/controller')

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 4fcdc7ed4a..d0c3c6e224 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -22,6 +22,10 @@ module RequestForgeryProtectionActions
     render :inline => "<%= button_to('New', '/') {} %>"
   end
   
+  def remote_form
+    render :inline => "<% form_remote_tag(:url => '/') {} %>"
+  end
+
   def unsafe
     render :text => 'pwn'
   end
@@ -75,6 +79,11 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
   end
 
+  def test_should_render_remote_form_with_only_one_token_parameter
+    get :remote_form
+    assert_equal 1, @response.body.scan(@token).size
+  end
+
   def test_should_allow_get
     get :index
     assert_response :success
-- 
cgit v1.2.3