Default embed_authenticity_token_in_remote_forms to nil.
Effectively treat nil values as "auto", e.g. whatever a form helper chooses to interpret it as. But treat an explicitly assigned false value as disabling.
This commit is contained in:
parent
c8a9ac000d
commit
6309b85100
|
@ -35,6 +35,22 @@ module RequestForgeryProtectionActions
|
||||||
render inline: "<%= form_for(:some_resource, :remote => true, :authenticity_token => 'external_token') {} %>"
|
render inline: "<%= form_for(:some_resource, :remote => true, :authenticity_token => 'external_token') {} %>"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def form_with_remote
|
||||||
|
render inline: "<%= form_with(scope: :some_resource) {} %>"
|
||||||
|
end
|
||||||
|
|
||||||
|
def form_with_remote_with_token
|
||||||
|
render inline: "<%= form_with(scope: :some_resource, authenticity_token: true) {} %>"
|
||||||
|
end
|
||||||
|
|
||||||
|
def form_with_local_with_token
|
||||||
|
render inline: "<%= form_with(scope: :some_resource, local: true, authenticity_token: true) {} %>"
|
||||||
|
end
|
||||||
|
|
||||||
|
def form_with_remote_with_external_token
|
||||||
|
render inline: "<%= form_with(scope: :some_resource, authenticity_token: 'external_token') {} %>"
|
||||||
|
end
|
||||||
|
|
||||||
def same_origin_js
|
def same_origin_js
|
||||||
render js: "foo();"
|
render js: "foo();"
|
||||||
end
|
end
|
||||||
|
@ -235,6 +251,80 @@ module RequestForgeryProtectionTests
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_with_token_tag_if_remote
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_remote
|
||||||
|
end
|
||||||
|
assert_match(/authenticity_token/, response.body)
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_without_token_tag_if_remote_and_embedding_token_is_off
|
||||||
|
original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms
|
||||||
|
begin
|
||||||
|
ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_remote
|
||||||
|
end
|
||||||
|
assert_no_match(/authenticity_token/, response.body)
|
||||||
|
ensure
|
||||||
|
ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on
|
||||||
|
original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms
|
||||||
|
begin
|
||||||
|
ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_remote_with_external_token
|
||||||
|
end
|
||||||
|
assert_select "form>input[name=?][value=?]", "custom_authenticity_token", "external_token"
|
||||||
|
ensure
|
||||||
|
ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_with_token_tag_if_remote_and_external_authenticity_token_requested
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_remote_with_external_token
|
||||||
|
end
|
||||||
|
assert_select "form>input[name=?][value=?]", "custom_authenticity_token", "external_token"
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_with_token_tag_if_remote_and_authenticity_token_requested
|
||||||
|
@controller.stub :form_authenticity_token, @token do
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_remote_with_token
|
||||||
|
end
|
||||||
|
assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_with_token_tag_with_authenticity_token_requested
|
||||||
|
@controller.stub :form_authenticity_token, @token do
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_local_with_token
|
||||||
|
end
|
||||||
|
assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_render_form_with_with_token_tag_if_remote_and_embedding_token_is_on
|
||||||
|
original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms
|
||||||
|
begin
|
||||||
|
ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
|
||||||
|
|
||||||
|
@controller.stub :form_authenticity_token, @token do
|
||||||
|
assert_not_blocked do
|
||||||
|
get :form_with_remote
|
||||||
|
end
|
||||||
|
end
|
||||||
|
assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token
|
||||||
|
ensure
|
||||||
|
ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def test_should_allow_get
|
def test_should_allow_get
|
||||||
assert_not_blocked { get :index }
|
assert_not_blocked { get :index }
|
||||||
end
|
end
|
||||||
|
|
|
@ -1517,12 +1517,14 @@ module ActionView
|
||||||
html_options[:"accept-charset"] = "UTF-8"
|
html_options[:"accept-charset"] = "UTF-8"
|
||||||
html_options[:"data-remote"] = true unless local
|
html_options[:"data-remote"] = true unless local
|
||||||
|
|
||||||
if !local && !embed_authenticity_token_in_remote_forms &&
|
html_options[:authenticity_token] = options.delete(:authenticity_token)
|
||||||
html_options[:authenticity_token].blank?
|
|
||||||
# The authenticity token is taken from the meta tag in this case
|
if !local && html_options[:authenticity_token].blank?
|
||||||
html_options[:authenticity_token] = false
|
html_options[:authenticity_token] = embed_authenticity_token_in_remote_forms
|
||||||
elsif html_options[:authenticity_token] == true
|
end
|
||||||
# Include the default authenticity_token, which is only generated when its set to nil,
|
|
||||||
|
if html_options[:authenticity_token] == true
|
||||||
|
# Include the default authenticity_token, which is only generated when it's set to nil,
|
||||||
# but we needed the true value to override the default of no authenticity_token on data-remote.
|
# but we needed the true value to override the default of no authenticity_token on data-remote.
|
||||||
html_options[:authenticity_token] = nil
|
html_options[:authenticity_token] = nil
|
||||||
end
|
end
|
||||||
|
|
|
@ -18,7 +18,7 @@ module ActionView
|
||||||
include TextHelper
|
include TextHelper
|
||||||
|
|
||||||
mattr_accessor :embed_authenticity_token_in_remote_forms
|
mattr_accessor :embed_authenticity_token_in_remote_forms
|
||||||
self.embed_authenticity_token_in_remote_forms = false
|
self.embed_authenticity_token_in_remote_forms = nil
|
||||||
|
|
||||||
# Starts a form tag that points the action to a url configured with <tt>url_for_options</tt> just like
|
# Starts a form tag that points the action to a url configured with <tt>url_for_options</tt> just like
|
||||||
# ActionController::Base#url_for. The method for the form defaults to POST.
|
# ActionController::Base#url_for. The method for the form defaults to POST.
|
||||||
|
|
|
@ -5,7 +5,7 @@ module ActionView
|
||||||
# = Action View Railtie
|
# = Action View Railtie
|
||||||
class Railtie < Rails::Engine # :nodoc:
|
class Railtie < Rails::Engine # :nodoc:
|
||||||
config.action_view = ActiveSupport::OrderedOptions.new
|
config.action_view = ActiveSupport::OrderedOptions.new
|
||||||
config.action_view.embed_authenticity_token_in_remote_forms = false
|
config.action_view.embed_authenticity_token_in_remote_forms = nil
|
||||||
config.action_view.debug_missing_translation = true
|
config.action_view.debug_missing_translation = true
|
||||||
|
|
||||||
config.eager_load_namespaces << ActionView
|
config.eager_load_namespaces << ActionView
|
||||||
|
|
Loading…
Reference in New Issue