From a4c120f165c5a0b7976ba72638261c3342364e38 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Wed, 14 Mar 2012 19:03:39 -0400
Subject: Do not include the authenticity token in forms where remote: true as
 ajax forms use the meta-tag value

---
 .../test/controller/request_forgery_protection_test.rb      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'actionpack/test')

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index ef795dad89..77db4969a7 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -35,6 +35,12 @@ module RequestForgeryProtectionActions
   def form_for_without_protection
     render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
   end
+
+  def form_for_remote
+    render :inline => "<%= form_for(:some_resource, :remote => true ) {} %>"
+  end
+
+  def rescue_action(e) raise e end
 end
 
 # sample controllers
@@ -98,6 +104,13 @@ module RequestForgeryProtectionTests
     assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
   end
 
+  def test_should_render_form_without_token_tag_if_remote
+    assert_not_blocked do
+      get :form_for_remote
+    end
+    assert_no_match /authenticity_token/, response.body
+  end
+
   def test_should_allow_get
     assert_not_blocked { get :index }
   end
-- 
cgit v1.2.3