Make per form token work when method is not provided

When `button_to 'Botton', url` form was being used the per form token was not correct because the method that is was being used to generate it was an empty string.
2022-11-09 12:12:34 -05:00 · 2016-02-22 18:40:48 -03:00 · 2016-02-22 18:40:48 -03:00 · 1358fce5aa
commit 1358fce5aa
parent c57e7239a8
2 changed files with 18 additions and 3 deletions
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -133,11 +133,11 @@ class PerFormTokensController < ActionController::Base
  self.per_form_csrf_tokens = true

  def index
-    render inline: "<%= form_tag (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>"
+    render inline: "<%= form_tag (params[:form_path] || '/per_form_tokens/post_one'), method: params[:form_method] %>"
  end

  def button_to
-    render inline: "<%= button_to 'Button', (params[:form_path] || '/per_form_tokens/post_one'), method: (params[:form_method] || :post) %>"
+    render inline: "<%= button_to 'Button', (params[:form_path] || '/per_form_tokens/post_one'), method: params[:form_method] %>"
  end

  def post_one
@ -710,6 +710,20 @@ class PerFormTokensControllerTest < ActionController::TestCase
    end
  end

+  test "Accepts proper token for implicit post method on button_to tag" do
+    get :button_to
+
+    form_token = assert_presence_and_fetch_form_csrf_token
+
+    assert_matches_session_token_on_server form_token, 'post'
+
+    # This is required because PATH_INFO isn't reset between requests.
+    @request.env['PATH_INFO'] = '/per_form_tokens/post_one'
+    assert_nothing_raised do
+      post :post_one, params: { custom_authenticity_token: form_token }
+    end
+  end
+
  %w{delete post patch}.each do |verb|
    test "Accepts proper token for #{verb} method on button_to tag" do
      get :button_to, params: { form_method: verb }
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@ -312,7 +312,8 @@ module ActionView
        form_options[:'data-remote'] = true if remote

        request_token_tag = if form_method == 'post'
-          token_tag(nil, form_options: { action: url, method: method })
+          request_method = method.empty? ? 'post' : method
+          token_tag(nil, form_options: { action: url, method: request_method })
        else
          ''
        end