RequestForgeryProtection now works with the new base

actionpack/Rakefile

@@ -63,7 +63,7 @@ Rake::TestTask.new(:test_new_base_on_old_tests) do |t|
   t.test_files = %w(
     addresses_render base benchmark caching capture content_type dispatcher
     flash mime_responds record_identifier redirect render rescue url_rewriter
-    webservice verification
+    webservice verification request_forgery_protection
   ).map { |name| "test/controller/#{name}_test.rb" }
 end
 

actionpack/lib/action_controller/base/request_forgery_protection.rb

@@ -3,12 +3,26 @@ module ActionController #:nodoc:
   end
 
   module RequestForgeryProtection
-    def self.included(base)
-      base.class_eval do
-        helper_method :form_authenticity_token
-        helper_method :protect_against_forgery?
+    extend ActiveSupport::DependencyModule
+
+    # TODO : Remove the defined? check when new base is the main base
+    if defined?(ActionController::Http)
+      depends_on AbstractController::Helpers, Session
+    end
+
+    included do
+      if defined?(ActionController::Http)
+        # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
+        # sets it to <tt>:authenticity_token</tt> by default.
+        cattr_accessor :request_forgery_protection_token
+
+        # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+        class_inheritable_accessor :allow_forgery_protection
+        self.allow_forgery_protection = true
       end
-      base.extend(ClassMethods)
+
+      helper_method :form_authenticity_token
+      helper_method :protect_against_forgery?
     end
     
     # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a

actionpack/lib/action_controller/new_base.rb

@@ -25,8 +25,9 @@ module ActionController
   autoload :UrlRewriter,       'action_controller/routing/generation/url_rewriter'
   autoload :UrlWriter,         'action_controller/routing/generation/url_rewriter'
 
-  autoload :Verification, 'action_controller/base/verification'
-  autoload :Flash,        'action_controller/base/chained/flash'
+  autoload :Verification,             'action_controller/base/verification'
+  autoload :Flash,                    'action_controller/base/chained/flash'
+  autoload :RequestForgeryProtection, 'action_controller/base/request_forgery_protection'
 
   require 'action_controller/routing'
 end

actionpack/lib/action_controller/new_base/base.rb

@@ -14,10 +14,6 @@ module ActionController
     include ActionController::Layouts
     include ActionController::ConditionalGet
 
-    include ActionController::Session
-    include ActionController::Flash
-    include ActionController::Verification
-
     # Legacy modules
     include SessionManagement
     include ActionDispatch::StatusCodes
@@ -27,6 +23,11 @@ module ActionController
     # Rails 2.x compatibility
     include ActionController::Rails2Compatibility
 
+    include ActionController::Session
+    include ActionController::Flash
+    include ActionController::Verification
+    include ActionController::RequestForgeryProtection
+
     # TODO: Extract into its own module
     # This should be moved together with other normalizing behavior
     module ImplicitRender

actionpack/lib/action_controller/new_base/compatibility.rb

@@ -1,7 +1,10 @@
 module ActionController
   module Rails2Compatibility
     extend ActiveSupport::DependencyModule
-  
+
+    class ::ActionController::ActionControllerError < StandardError #:nodoc:
+    end
+
     # Temporary hax
     included do
       ::ActionController::UnknownAction = ::AbstractController::ActionNotFound
@@ -65,7 +68,6 @@ module ActionController
     end
 
     module ClassMethods
-      def protect_from_forgery() end
       def consider_all_requests_local() end
       def rescue_action(env)
         raise env["action_dispatch.rescue.exception"]

actionpack/lib/action_dispatch.rb

@@ -46,6 +46,7 @@ module ActionDispatch
   autoload :ShowExceptions, 'action_dispatch/middleware/show_exceptions'
   autoload :MiddlewareStack, 'action_dispatch/middleware/stack'
 
+  autoload :HTML, 'action_controller/vendor/html-scanner'
   autoload :Assertions, 'action_dispatch/testing/assertions'
   autoload :TestRequest, 'action_dispatch/testing/test_request'
   autoload :TestResponse, 'action_dispatch/testing/test_response'