From 67584c6ae37c88f8abba6f4fbdeedc7c1a6dfa1b Mon Sep 17 00:00:00 2001
From: "John Barton (joho)" <jrbarton@gmail.com>
Date: Wed, 5 Mar 2014 11:24:51 +1100
Subject: Make CSRF failure logging optional/configurable.

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.
---
 .../test/controller/request_forgery_protection_test.rb   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'actionpack/test')

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 1f5fc06410..99229b3baf 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -289,6 +289,22 @@ module RequestForgeryProtectionTests
     end
   end
 
+  def test_should_not_warn_if_csrf_logging_disabled
+    old_logger = ActionController::Base.logger
+    logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
+    ActionController::Base.logger = logger
+    ActionController::Base.log_warning_on_csrf_failure = false
+
+    begin
+      assert_blocked { post :index }
+
+      assert_equal 0, logger.logged(:warn).size
+    ensure
+      ActionController::Base.logger = old_logger
+      ActionController::Base.log_warning_on_csrf_failure = true
+    end
+  end
+
   def test_should_only_allow_same_origin_js_get_with_xhr_header
     assert_cross_origin_blocked { get :same_origin_js }
     assert_cross_origin_blocked { get :same_origin_js, format: 'js' }
-- 
cgit v1.2.3