From a58db74c4feda7b8e2a02882c030b252d6fa8611 Mon Sep 17 00:00:00 2001 From: Genadi Samokovarov Date: Wed, 26 Dec 2018 21:10:37 +0200 Subject: Don't expect defined protect_against_forgery? in {token,csrf_meta}_tag The `#csrf_meta_tags` and `#token_tag` Action View helper methods are expecting the class in which are included to explicitly define the method `#protect_against_forgery?` or else they will fail with `NoMethodError`. This is a problem if you want to use Action View outside of Rails applications. For example, in #34788 I used the `#button_to` helper inside of the error pages templates that have a custom `ActionView::Base` subclass, which did not defined `#protect_against_forgery?` and trying to call the button failed. I had to dig inside of Action View to find-out what's was going on. I think we should either set a default method implementation in the helpers or check for the method definition, but don't explicitly require the presence of `#protect_against_forgery?` in every `ActionViews::Base` subclass as the errors are hard to figure out. --- actionview/lib/action_view/helpers/url_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionview/lib/action_view/helpers/url_helper.rb') diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 948dd1551f..d63ada3890 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -618,7 +618,7 @@ module ActionView end def token_tag(token = nil, form_options: {}) - if token != false && protect_against_forgery? + if token != false && defined?(protect_against_forgery?) && protect_against_forgery? token ||= form_authenticity_token(form_options: form_options) tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token) else -- cgit v1.2.3