mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
RequestForgeryProtection now works with the new base
This commit is contained in:
parent
886eeed52e
commit
59b32f2883
6 changed files with 33 additions and 14 deletions
|
@ -63,7 +63,7 @@ Rake::TestTask.new(:test_new_base_on_old_tests) do |t|
|
||||||
t.test_files = %w(
|
t.test_files = %w(
|
||||||
addresses_render base benchmark caching capture content_type dispatcher
|
addresses_render base benchmark caching capture content_type dispatcher
|
||||||
flash mime_responds record_identifier redirect render rescue url_rewriter
|
flash mime_responds record_identifier redirect render rescue url_rewriter
|
||||||
webservice verification
|
webservice verification request_forgery_protection
|
||||||
).map { |name| "test/controller/#{name}_test.rb" }
|
).map { |name| "test/controller/#{name}_test.rb" }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -3,13 +3,27 @@ module ActionController #:nodoc:
|
||||||
end
|
end
|
||||||
|
|
||||||
module RequestForgeryProtection
|
module RequestForgeryProtection
|
||||||
def self.included(base)
|
extend ActiveSupport::DependencyModule
|
||||||
base.class_eval do
|
|
||||||
|
# TODO : Remove the defined? check when new base is the main base
|
||||||
|
if defined?(ActionController::Http)
|
||||||
|
depends_on AbstractController::Helpers, Session
|
||||||
|
end
|
||||||
|
|
||||||
|
included do
|
||||||
|
if defined?(ActionController::Http)
|
||||||
|
# Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
|
||||||
|
# sets it to <tt>:authenticity_token</tt> by default.
|
||||||
|
cattr_accessor :request_forgery_protection_token
|
||||||
|
|
||||||
|
# Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
|
||||||
|
class_inheritable_accessor :allow_forgery_protection
|
||||||
|
self.allow_forgery_protection = true
|
||||||
|
end
|
||||||
|
|
||||||
helper_method :form_authenticity_token
|
helper_method :form_authenticity_token
|
||||||
helper_method :protect_against_forgery?
|
helper_method :protect_against_forgery?
|
||||||
end
|
end
|
||||||
base.extend(ClassMethods)
|
|
||||||
end
|
|
||||||
|
|
||||||
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
|
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
|
||||||
# forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all
|
# forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn't know) in all
|
||||||
|
|
|
@ -27,6 +27,7 @@ module ActionController
|
||||||
|
|
||||||
autoload :Verification, 'action_controller/base/verification'
|
autoload :Verification, 'action_controller/base/verification'
|
||||||
autoload :Flash, 'action_controller/base/chained/flash'
|
autoload :Flash, 'action_controller/base/chained/flash'
|
||||||
|
autoload :RequestForgeryProtection, 'action_controller/base/request_forgery_protection'
|
||||||
|
|
||||||
require 'action_controller/routing'
|
require 'action_controller/routing'
|
||||||
end
|
end
|
||||||
|
|
|
@ -14,10 +14,6 @@ module ActionController
|
||||||
include ActionController::Layouts
|
include ActionController::Layouts
|
||||||
include ActionController::ConditionalGet
|
include ActionController::ConditionalGet
|
||||||
|
|
||||||
include ActionController::Session
|
|
||||||
include ActionController::Flash
|
|
||||||
include ActionController::Verification
|
|
||||||
|
|
||||||
# Legacy modules
|
# Legacy modules
|
||||||
include SessionManagement
|
include SessionManagement
|
||||||
include ActionDispatch::StatusCodes
|
include ActionDispatch::StatusCodes
|
||||||
|
@ -27,6 +23,11 @@ module ActionController
|
||||||
# Rails 2.x compatibility
|
# Rails 2.x compatibility
|
||||||
include ActionController::Rails2Compatibility
|
include ActionController::Rails2Compatibility
|
||||||
|
|
||||||
|
include ActionController::Session
|
||||||
|
include ActionController::Flash
|
||||||
|
include ActionController::Verification
|
||||||
|
include ActionController::RequestForgeryProtection
|
||||||
|
|
||||||
# TODO: Extract into its own module
|
# TODO: Extract into its own module
|
||||||
# This should be moved together with other normalizing behavior
|
# This should be moved together with other normalizing behavior
|
||||||
module ImplicitRender
|
module ImplicitRender
|
||||||
|
|
|
@ -2,6 +2,9 @@ module ActionController
|
||||||
module Rails2Compatibility
|
module Rails2Compatibility
|
||||||
extend ActiveSupport::DependencyModule
|
extend ActiveSupport::DependencyModule
|
||||||
|
|
||||||
|
class ::ActionController::ActionControllerError < StandardError #:nodoc:
|
||||||
|
end
|
||||||
|
|
||||||
# Temporary hax
|
# Temporary hax
|
||||||
included do
|
included do
|
||||||
::ActionController::UnknownAction = ::AbstractController::ActionNotFound
|
::ActionController::UnknownAction = ::AbstractController::ActionNotFound
|
||||||
|
@ -65,7 +68,6 @@ module ActionController
|
||||||
end
|
end
|
||||||
|
|
||||||
module ClassMethods
|
module ClassMethods
|
||||||
def protect_from_forgery() end
|
|
||||||
def consider_all_requests_local() end
|
def consider_all_requests_local() end
|
||||||
def rescue_action(env)
|
def rescue_action(env)
|
||||||
raise env["action_dispatch.rescue.exception"]
|
raise env["action_dispatch.rescue.exception"]
|
||||||
|
|
|
@ -46,6 +46,7 @@ module ActionDispatch
|
||||||
autoload :ShowExceptions, 'action_dispatch/middleware/show_exceptions'
|
autoload :ShowExceptions, 'action_dispatch/middleware/show_exceptions'
|
||||||
autoload :MiddlewareStack, 'action_dispatch/middleware/stack'
|
autoload :MiddlewareStack, 'action_dispatch/middleware/stack'
|
||||||
|
|
||||||
|
autoload :HTML, 'action_controller/vendor/html-scanner'
|
||||||
autoload :Assertions, 'action_dispatch/testing/assertions'
|
autoload :Assertions, 'action_dispatch/testing/assertions'
|
||||||
autoload :TestRequest, 'action_dispatch/testing/test_request'
|
autoload :TestRequest, 'action_dispatch/testing/test_request'
|
||||||
autoload :TestResponse, 'action_dispatch/testing/test_response'
|
autoload :TestResponse, 'action_dispatch/testing/test_response'
|
||||||
|
|
Loading…
Reference in a new issue