Expose CSRF tag for UJS adapters

2022-11-09 12:12:34 -05:00 · 2010-02-04 14:15:16 -08:00 · 2010-02-04 14:15:16 -08:00 · 78de17cf70
commit 78de17cf70
parent 127e53453d
4 changed files with 30 additions and 1 deletions
--- a/actionpack/lib/action_view/helpers.rb
+++ b/actionpack/lib/action_view/helpers.rb
@ -7,6 +7,7 @@ module ActionView #:nodoc:
    autoload :AtomFeedHelper, 'action_view/helpers/atom_feed_helper'
    autoload :CacheHelper, 'action_view/helpers/cache_helper'
    autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+    autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
    autoload :DateHelper, 'action_view/helpers/date_helper'
    autoload :DebugHelper, 'action_view/helpers/debug_helper'
    autoload :FormHelper, 'action_view/helpers/form_helper'
@ -40,6 +41,7 @@ module ActionView #:nodoc:
    include AtomFeedHelper
    include CacheHelper
    include CaptureHelper
+    include CsrfHelper
    include DateHelper
    include DebugHelper
    include FormHelper
--- a/actionpack/lib/action_view/helpers/csrf_helper.rb
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@ -0,0 +1,12 @@
+module ActionView
+  module Helpers
+    module CsrfHelper
+      # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
+      def csrf_meta_tag
+        if protect_against_forgery?
+          %(<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+        end
+      end
+    end
+  end
+end
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -15,13 +15,17 @@ module RequestForgeryProtectionActions
    render :text => 'pwn'
  end

+  def meta
+    render :inline => "<%= csrf_meta_tag %>"
+  end
+
  def rescue_action(e) raise e end
 end

 # sample controllers
 class RequestForgeryProtectionController < ActionController::Base
  include RequestForgeryProtectionActions
-  protect_from_forgery :only => :index
+  protect_from_forgery :only => %w(index meta)
 end

 class FreeCookieController < RequestForgeryProtectionController
@ -211,6 +215,11 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase
    ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
    ActionController::Base.request_forgery_protection_token = :authenticity_token
  end
+
+  test 'should emit a csrf-token meta tag' do
+    get :meta
+    assert_equal %(<meta name="csrf-token" content="#{@token}"/>), @response.body
+  end
 end

 class FreeCookieControllerTest < ActionController::TestCase
@ -238,6 +247,11 @@ class FreeCookieControllerTest < ActionController::TestCase
      assert_nothing_raised { send(method, :index)}
    end
  end
+
+  test 'should not emit a csrf-token meta tag' do
+    get :meta
+    assert @response.body.blank?
+  end
 end

 class CustomAuthenticityParamControllerTest < ActionController::TestCase
--- a/railties/lib/generators/erb/scaffold/templates/layout.html.erb
+++ b/railties/lib/generators/erb/scaffold/templates/layout.html.erb
@ -4,6 +4,7 @@
  <title><%= controller_class_name %>: <%%= controller.action_name %></title>
  <%%= stylesheet_link_tag 'scaffold' %>
  <%%= javascript_include_tag :defaults %>
+  <%%= csrf_meta_tag %>
 </head>
 <body>