From 78de17cf7095af8e86d192af8d8fbe21e6f193d9 Mon Sep 17 00:00:00 2001 From: Jeremy Kemper Date: Thu, 4 Feb 2010 14:15:16 -0800 Subject: [PATCH] Expose CSRF tag for UJS adapters --- actionpack/lib/action_view/helpers.rb | 2 ++ .../lib/action_view/helpers/csrf_helper.rb | 12 ++++++++++++ .../request_forgery_protection_test.rb | 16 +++++++++++++++- .../erb/scaffold/templates/layout.html.erb | 1 + 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 actionpack/lib/action_view/helpers/csrf_helper.rb diff --git a/actionpack/lib/action_view/helpers.rb b/actionpack/lib/action_view/helpers.rb index ceb0e18d80..b4f649385a 100644 --- a/actionpack/lib/action_view/helpers.rb +++ b/actionpack/lib/action_view/helpers.rb @@ -7,6 +7,7 @@ module ActionView #:nodoc: autoload :AtomFeedHelper, 'action_view/helpers/atom_feed_helper' autoload :CacheHelper, 'action_view/helpers/cache_helper' autoload :CaptureHelper, 'action_view/helpers/capture_helper' + autoload :CsrfHelper, 'action_view/helpers/csrf_helper' autoload :DateHelper, 'action_view/helpers/date_helper' autoload :DebugHelper, 'action_view/helpers/debug_helper' autoload :FormHelper, 'action_view/helpers/form_helper' @@ -40,6 +41,7 @@ module ActionView #:nodoc: include AtomFeedHelper include CacheHelper include CaptureHelper + include CsrfHelper include DateHelper include DebugHelper include FormHelper diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb new file mode 100644 index 0000000000..2d6af52180 --- /dev/null +++ b/actionpack/lib/action_view/helpers/csrf_helper.rb @@ -0,0 +1,12 @@ +module ActionView + module Helpers + module CsrfHelper + # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head. + def csrf_meta_tag + if protect_against_forgery? + %().html_safe + end + end + end + end +end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index b2a0e2e2a3..55c21bc84a 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -15,13 +15,17 @@ module RequestForgeryProtectionActions render :text => 'pwn' end + def meta + render :inline => "<%= csrf_meta_tag %>" + end + def rescue_action(e) raise e end end # sample controllers class RequestForgeryProtectionController < ActionController::Base include RequestForgeryProtectionActions - protect_from_forgery :only => :index + protect_from_forgery :only => %w(index meta) end class FreeCookieController < RequestForgeryProtectionController @@ -211,6 +215,11 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase ActiveSupport::SecureRandom.stubs(:base64).returns(@token) ActionController::Base.request_forgery_protection_token = :authenticity_token end + + test 'should emit a csrf-token meta tag' do + get :meta + assert_equal %(), @response.body + end end class FreeCookieControllerTest < ActionController::TestCase @@ -238,6 +247,11 @@ class FreeCookieControllerTest < ActionController::TestCase assert_nothing_raised { send(method, :index)} end end + + test 'should not emit a csrf-token meta tag' do + get :meta + assert @response.body.blank? + end end class CustomAuthenticityParamControllerTest < ActionController::TestCase diff --git a/railties/lib/generators/erb/scaffold/templates/layout.html.erb b/railties/lib/generators/erb/scaffold/templates/layout.html.erb index 496de90ebb..420d17f33c 100644 --- a/railties/lib/generators/erb/scaffold/templates/layout.html.erb +++ b/railties/lib/generators/erb/scaffold/templates/layout.html.erb @@ -4,6 +4,7 @@ <%= controller_class_name %>: <%%= controller.action_name %> <%%= stylesheet_link_tag 'scaffold' %> <%%= javascript_include_tag :defaults %> + <%%= csrf_meta_tag %>