From 3e98819e20bc113343d4d4c0df614865ad5a9d3a Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@users.noreply.github.com>
Date: Mon, 4 Jan 2016 12:23:55 -0700
Subject: add option for per-form CSRF tokens

---
 actionview/lib/action_view/helpers/form_tag_helper.rb | 10 ++++++++--
 actionview/lib/action_view/helpers/url_helper.rb      | 10 +++++++---
 actionview/test/template/url_helper_test.rb           |  2 +-
 3 files changed, 16 insertions(+), 6 deletions(-)

(limited to 'actionview')

diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb
index 79a1a242bf..d521553481 100644
--- a/actionview/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/form_tag_helper.rb
@@ -870,10 +870,16 @@ module ActionView
               ''
             when /^post$/i, "", nil
               html_options["method"] = "post"
-              token_tag(authenticity_token)
+              token_tag(authenticity_token, form_options: {
+                action: html_options["action"],
+                method: "post"
+              })
             else
               html_options["method"] = "post"
-              method_tag(method) + token_tag(authenticity_token)
+              method_tag(method) + token_tag(authenticity_token, form_options: {
+                action: html_options["action"],
+                method: method
+              })
           end
 
           if html_options.delete("enforce_utf8") { true }
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index baebc34b4b..3a4561a083 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -311,7 +311,11 @@ module ActionView
         form_options[:action] = url
         form_options[:'data-remote'] = true if remote
 
-        request_token_tag = form_method == 'post' ? token_tag : ''
+        request_token_tag = if form_method == 'post'
+          token_tag(nil, form_options: form_options)
+        else
+          ''
+        end
 
         html_options = convert_options_to_data_attributes(options, html_options)
         html_options['type'] = 'submit'
@@ -579,9 +583,9 @@ module ActionView
           html_options["data-method"] = method
         end
 
-        def token_tag(token=nil)
+        def token_tag(token=nil, form_options: {})
           if token != false && protect_against_forgery?
-            token ||= form_authenticity_token
+            token ||= form_authenticity_token(form_options: form_options)
             tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
           else
             ''
diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb
index 784a48ed8d..89cabb8f6b 100644
--- a/actionview/test/template/url_helper_test.rb
+++ b/actionview/test/template/url_helper_test.rb
@@ -582,7 +582,7 @@ class UrlHelperTest < ActiveSupport::TestCase
     self.request_forgery
   end
 
-  def form_authenticity_token
+  def form_authenticity_token(*args)
     "secret"
   end
 
-- 
cgit v1.2.3