mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Add ActionController::Base.skip_forgery_protection
Since we now default to `protect_from_forgery with: :exception`, provide a wrapper to `skip_before_action :verify_authenticity_token` for disabling forgery protection.
This commit is contained in:
parent
ec4a836919
commit
73b944eca7
2 changed files with 39 additions and 0 deletions
|
@ -132,6 +132,15 @@ module ActionController #:nodoc:
|
||||||
append_after_action :verify_same_origin_request
|
append_after_action :verify_same_origin_request
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Turn off request forgery protection. This is a wrapper for:
|
||||||
|
#
|
||||||
|
# skip_before_action :verify_authenticity_token
|
||||||
|
#
|
||||||
|
# See +skip_before_action+ for allowed options.
|
||||||
|
def skip_forgery_protection(options = {})
|
||||||
|
skip_before_action :verify_authenticity_token, options
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def protection_method_class(name)
|
def protection_method_class(name)
|
||||||
|
|
|
@ -163,6 +163,13 @@ class PerFormTokensController < ActionController::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
class SkipProtectionController < ActionController::Base
|
||||||
|
include RequestForgeryProtectionActions
|
||||||
|
protect_from_forgery with: :exception
|
||||||
|
skip_forgery_protection if: :skip_requested
|
||||||
|
attr_accessor :skip_requested
|
||||||
|
end
|
||||||
|
|
||||||
# common test methods
|
# common test methods
|
||||||
module RequestForgeryProtectionTests
|
module RequestForgeryProtectionTests
|
||||||
def setup
|
def setup
|
||||||
|
@ -964,3 +971,26 @@ class PerFormTokensControllerTest < ActionController::TestCase
|
||||||
assert_equal expected, actual
|
assert_equal expected, actual
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
class SkipProtectionControllerTest < ActionController::TestCase
|
||||||
|
def test_should_not_allow_post_without_token_when_not_skipping
|
||||||
|
@controller.skip_requested = false
|
||||||
|
assert_blocked { post :index }
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_allow_post_without_token_when_skipping
|
||||||
|
@controller.skip_requested = true
|
||||||
|
assert_not_blocked { post :index }
|
||||||
|
end
|
||||||
|
|
||||||
|
def assert_blocked
|
||||||
|
assert_raises(ActionController::InvalidAuthenticityToken) do
|
||||||
|
yield
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def assert_not_blocked
|
||||||
|
assert_nothing_raised { yield }
|
||||||
|
assert_response :success
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in a new issue