1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

RequestForgeryProtection now works with the new base

This commit is contained in:
Pratik Naik 2009-05-21 11:50:34 +02:00
parent 886eeed52e
commit 59b32f2883
6 changed files with 33 additions and 14 deletions

View file

@ -63,7 +63,7 @@ Rake::TestTask.new(:test_new_base_on_old_tests) do |t|
t.test_files = %w( t.test_files = %w(
addresses_render base benchmark caching capture content_type dispatcher addresses_render base benchmark caching capture content_type dispatcher
flash mime_responds record_identifier redirect render rescue url_rewriter flash mime_responds record_identifier redirect render rescue url_rewriter
webservice verification webservice verification request_forgery_protection
).map { |name| "test/controller/#{name}_test.rb" } ).map { |name| "test/controller/#{name}_test.rb" }
end end

View file

@ -3,13 +3,27 @@ module ActionController #:nodoc:
end end
module RequestForgeryProtection module RequestForgeryProtection
def self.included(base) extend ActiveSupport::DependencyModule
base.class_eval do
# TODO : Remove the defined? check when new base is the main base
if defined?(ActionController::Http)
depends_on AbstractController::Helpers, Session
end
included do
if defined?(ActionController::Http)
# Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
# sets it to <tt>:authenticity_token</tt> by default.
cattr_accessor :request_forgery_protection_token
# Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
class_inheritable_accessor :allow_forgery_protection
self.allow_forgery_protection = true
end
helper_method :form_authenticity_token helper_method :form_authenticity_token
helper_method :protect_against_forgery? helper_method :protect_against_forgery?
end end
base.extend(ClassMethods)
end
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
# forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all # forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all

View file

@ -27,6 +27,7 @@ module ActionController
autoload :Verification, 'action_controller/base/verification' autoload :Verification, 'action_controller/base/verification'
autoload :Flash, 'action_controller/base/chained/flash' autoload :Flash, 'action_controller/base/chained/flash'
autoload :RequestForgeryProtection, 'action_controller/base/request_forgery_protection'
require 'action_controller/routing' require 'action_controller/routing'
end end

View file

@ -14,10 +14,6 @@ module ActionController
include ActionController::Layouts include ActionController::Layouts
include ActionController::ConditionalGet include ActionController::ConditionalGet
include ActionController::Session
include ActionController::Flash
include ActionController::Verification
# Legacy modules # Legacy modules
include SessionManagement include SessionManagement
include ActionDispatch::StatusCodes include ActionDispatch::StatusCodes
@ -27,6 +23,11 @@ module ActionController
# Rails 2.x compatibility # Rails 2.x compatibility
include ActionController::Rails2Compatibility include ActionController::Rails2Compatibility
include ActionController::Session
include ActionController::Flash
include ActionController::Verification
include ActionController::RequestForgeryProtection
# TODO: Extract into its own module # TODO: Extract into its own module
# This should be moved together with other normalizing behavior # This should be moved together with other normalizing behavior
module ImplicitRender module ImplicitRender

View file

@ -2,6 +2,9 @@ module ActionController
module Rails2Compatibility module Rails2Compatibility
extend ActiveSupport::DependencyModule extend ActiveSupport::DependencyModule
class ::ActionController::ActionControllerError < StandardError #:nodoc:
end
# Temporary hax # Temporary hax
included do included do
::ActionController::UnknownAction = ::AbstractController::ActionNotFound ::ActionController::UnknownAction = ::AbstractController::ActionNotFound
@ -65,7 +68,6 @@ module ActionController
end end
module ClassMethods module ClassMethods
def protect_from_forgery() end
def consider_all_requests_local() end def consider_all_requests_local() end
def rescue_action(env) def rescue_action(env)
raise env["action_dispatch.rescue.exception"] raise env["action_dispatch.rescue.exception"]

View file

@ -46,6 +46,7 @@ module ActionDispatch
autoload :ShowExceptions, 'action_dispatch/middleware/show_exceptions' autoload :ShowExceptions, 'action_dispatch/middleware/show_exceptions'
autoload :MiddlewareStack, 'action_dispatch/middleware/stack' autoload :MiddlewareStack, 'action_dispatch/middleware/stack'
autoload :HTML, 'action_controller/vendor/html-scanner'
autoload :Assertions, 'action_dispatch/testing/assertions' autoload :Assertions, 'action_dispatch/testing/assertions'
autoload :TestRequest, 'action_dispatch/testing/test_request' autoload :TestRequest, 'action_dispatch/testing/test_request'
autoload :TestResponse, 'action_dispatch/testing/test_response' autoload :TestResponse, 'action_dispatch/testing/test_response'