From 92203d754f535c01c5ec3175627425d20e3d2839 Mon Sep 17 00:00:00 2001 From: Vipul A M Date: Thu, 18 Feb 2016 17:38:19 +0530 Subject: Fixed passing of delete method on button_to tag, creating wrong form csrf token Fixes #23524 --- actionview/lib/action_view/helpers/url_helper.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionview/lib') diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 87218821ed..4d82cbd469 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -311,8 +311,8 @@ module ActionView form_options[:action] = url form_options[:'data-remote'] = true if remote - request_token_tag = if form_method == 'post' - token_tag(nil, form_options: form_options) + request_token_tag = if (form_method == 'post' || method == 'delete') + token_tag(nil, form_options: form_options.merge(method: method)) else '' end -- cgit v1.2.3 From 2b4c0ae144768d72f042b2c2ec1bca4df386fb6f Mon Sep 17 00:00:00 2001 From: Vipul A M Date: Mon, 22 Feb 2016 00:21:46 +0530 Subject: Refactored Request Forgery CSRF PerFormTokensController tests and DRY'ed them up. --- actionview/lib/action_view/helpers/url_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actionview/lib') diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 4d82cbd469..234e489115 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -311,7 +311,7 @@ module ActionView form_options[:action] = url form_options[:'data-remote'] = true if remote - request_token_tag = if (form_method == 'post' || method == 'delete') + request_token_tag = if form_method == 'post' token_tag(nil, form_options: form_options.merge(method: method)) else '' -- cgit v1.2.3