From 256b0ee8e3c1610967dfc89f864e24b98ed3c236 Mon Sep 17 00:00:00 2001
From: Ross Kaffenburger and Bryan Helmkamp <developers@weplay.com>
Date: Wed, 4 Mar 2009 16:05:15 -0500
Subject: Don't check authenticity tokens for any AJAX requests

---
 actionpack/CHANGELOG                                          |  2 ++
 .../lib/action_controller/base/request_forgery_protection.rb  |  3 ++-
 actionpack/test/controller/request_forgery_protection_test.rb | 11 ++++++-----
 3 files changed, 10 insertions(+), 6 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 11ee1c1059..204f5ae272 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -7,6 +7,8 @@
 
 * Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #<Post:0x23150b8>") [DHH]
 
+* Don't check authenticity tokens for any AJAX requests [Ross Kaffenberger/Bryan Helmkamp]
+
 * Added ability to pass in :public => true to fresh_when, stale?, and expires_in to make the request proxy cachable #2095 [Gregg Pollack]
 
 * Fixed that passing a custom form builder would be forwarded to nested fields_for calls #2023 [Eloy Duran/Nate Wiger]
diff --git a/actionpack/lib/action_controller/base/request_forgery_protection.rb b/actionpack/lib/action_controller/base/request_forgery_protection.rb
index f3e6288c26..3067122ceb 100644
--- a/actionpack/lib/action_controller/base/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb
@@ -81,12 +81,13 @@ module ActionController #:nodoc:
       
       # Returns true or false if a request is verified.  Checks:
       #
-      # * is the format restricted?  By default, only HTML and AJAX requests are checked.
+      # * is the format restricted?  By default, only HTML requests are checked.
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       def verified_request?
         !protect_against_forgery?     ||
           request.method == :get      ||
+          request.xhr?                ||
           !verifiable_request_format? ||
           form_authenticity_token == params[request_forgery_protection_token]
       end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 835e73e3ab..83925ed4db 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -151,14 +151,10 @@ module RequestForgeryProtectionTests
       delete :index, :format => 'xml'
     end
   end
-
+  
   def test_should_allow_xhr_post_without_token
     assert_nothing_raised { xhr :post, :index }
   end
-  def test_should_not_allow_xhr_post_with_html_without_token
-    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-    assert_raise(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
-  end
   
   def test_should_allow_xhr_put_without_token
     assert_nothing_raised { xhr :put, :index }
@@ -168,6 +164,11 @@ module RequestForgeryProtectionTests
     assert_nothing_raised { xhr :delete, :index }
   end
   
+  def test_should_allow_xhr_post_with_encoded_form_content_type_without_token
+    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+    assert_nothing_raised { xhr :post, :index }
+  end
+  
   def test_should_allow_post_with_token
     post :index, :authenticity_token => @token
     assert_response :success
-- 
cgit v1.2.3