Merge pull request #14945 from tomkadwill/form_authenticity_param_refactor
Moved 'params[request_forgery_protection_token]' into its own method and...
This commit is contained in:
commit
2bb008a6cf
|
@ -1,3 +1,10 @@
|
||||||
|
* Moved `params[request_forgery_protection_token]` into its own method
|
||||||
|
and improved tests.
|
||||||
|
|
||||||
|
Fixes #11316.
|
||||||
|
|
||||||
|
*Tom Kadwill*
|
||||||
|
|
||||||
* Added verification of route constraints given as a Proc or an object responding
|
* Added verification of route constraints given as a Proc or an object responding
|
||||||
to `:matches?`. Previously, when given an non-complying object, it would just
|
to `:matches?`. Previously, when given an non-complying object, it would just
|
||||||
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
||||||
|
|
|
@ -247,7 +247,7 @@ module ActionController #:nodoc:
|
||||||
# * Does the X-CSRF-Token header match the form_authenticity_token
|
# * Does the X-CSRF-Token header match the form_authenticity_token
|
||||||
def verified_request?
|
def verified_request?
|
||||||
!protect_against_forgery? || request.get? || request.head? ||
|
!protect_against_forgery? || request.get? || request.head? ||
|
||||||
form_authenticity_token == params[request_forgery_protection_token] ||
|
form_authenticity_token == form_authenticity_param ||
|
||||||
form_authenticity_token == request.headers['X-CSRF-Token']
|
form_authenticity_token == request.headers['X-CSRF-Token']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -462,16 +462,37 @@ end
|
||||||
class CustomAuthenticityParamControllerTest < ActionController::TestCase
|
class CustomAuthenticityParamControllerTest < ActionController::TestCase
|
||||||
def setup
|
def setup
|
||||||
super
|
super
|
||||||
ActionController::Base.request_forgery_protection_token = :custom_token_name
|
@old_logger = ActionController::Base.logger
|
||||||
|
@logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
|
||||||
|
@token = "foobar"
|
||||||
|
ActionController::Base.request_forgery_protection_token = @token
|
||||||
end
|
end
|
||||||
|
|
||||||
def teardown
|
def teardown
|
||||||
ActionController::Base.request_forgery_protection_token = :authenticity_token
|
ActionController::Base.request_forgery_protection_token = nil
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_should_allow_custom_token
|
def test_should_not_warn_if_form_authenticity_param_matches_form_authenticity_token
|
||||||
post :index, :custom_token_name => 'foobar'
|
ActionController::Base.logger = @logger
|
||||||
assert_response :ok
|
SecureRandom.stubs(:base64).returns(@token)
|
||||||
|
|
||||||
|
begin
|
||||||
|
post :index, :custom_token_name => 'foobar'
|
||||||
|
assert_equal 0, @logger.logged(:warn).size
|
||||||
|
ensure
|
||||||
|
ActionController::Base.logger = @old_logger
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_warn_if_form_authenticity_param_does_not_match_form_authenticity_token
|
||||||
|
ActionController::Base.logger = @logger
|
||||||
|
|
||||||
|
begin
|
||||||
|
post :index, :custom_token_name => 'bazqux'
|
||||||
|
assert_equal 1, @logger.logged(:warn).size
|
||||||
|
ensure
|
||||||
|
ActionController::Base.logger = @old_logger
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue