mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #34797 from gsamokovarov/views-without-defined-protect-against-forgery
Don't expect defined protect_against_forgery? in {token,csrf_meta}_tag
This commit is contained in:
commit
9f0928322f
5 changed files with 63 additions and 5 deletions
|
@ -1,9 +1,13 @@
|
|||
* Fix the need of `#protect_against_forgery?` method defined in
|
||||
`ActionView::Base` subclasses. This prevents the use of forms and buttons.
|
||||
|
||||
*Genadi Samokovarov*
|
||||
|
||||
* Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
|
||||
Fixes #33889
|
||||
|
||||
*Wolfgang Hobmaier*
|
||||
|
||||
|
||||
* Prevent non-primary mouse keys from triggering Rails UJS click handlers.
|
||||
Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
|
||||
For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
|
||||
|
@ -16,7 +20,6 @@
|
|||
|
||||
*Wolfgang Hobmaier*
|
||||
|
||||
|
||||
* Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
|
||||
|
||||
For example, given input like this:
|
||||
|
@ -34,7 +37,6 @@
|
|||
|
||||
*Lyle Mullican*
|
||||
|
||||
|
||||
* Add allocations to template rendering instrumentation.
|
||||
|
||||
Adds the allocations for template and partial rendering to the server output on render.
|
||||
|
|
|
@ -20,7 +20,7 @@ module ActionView
|
|||
# "X-CSRF-Token" HTTP header. If you are using rails-ujs this happens automatically.
|
||||
#
|
||||
def csrf_meta_tags
|
||||
if protect_against_forgery?
|
||||
if defined?(protect_against_forgery?) && protect_against_forgery?
|
||||
[
|
||||
tag("meta", name: "csrf-param", content: request_forgery_protection_token),
|
||||
tag("meta", name: "csrf-token", content: form_authenticity_token)
|
||||
|
|
|
@ -618,7 +618,7 @@ module ActionView
|
|||
end
|
||||
|
||||
def token_tag(token = nil, form_options: {})
|
||||
if token != false && protect_against_forgery?
|
||||
if token != false && defined?(protect_against_forgery?) && protect_against_forgery?
|
||||
token ||= form_authenticity_token(form_options: form_options)
|
||||
tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
|
||||
else
|
||||
|
|
46
actionview/test/template/csrf_helper_test.rb
Normal file
46
actionview/test/template/csrf_helper_test.rb
Normal file
|
@ -0,0 +1,46 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require "abstract_unit"
|
||||
|
||||
class CsrfHelperTest < ActiveSupport::TestCase
|
||||
cattr_accessor :request_forgery, default: false
|
||||
|
||||
include ActionView::Helpers::CsrfHelper
|
||||
include ActionView::Helpers::TagHelper
|
||||
include Rails::Dom::Testing::Assertions::DomAssertions
|
||||
|
||||
def test_csrf_meta_tags_without_request_forgery_protection
|
||||
assert_dom_equal "", csrf_meta_tags
|
||||
end
|
||||
|
||||
def test_csrf_meta_tags_with_request_forgery_protection
|
||||
self.request_forgery = true
|
||||
|
||||
assert_dom_equal <<~DOM.chomp, csrf_meta_tags
|
||||
<meta name="csrf-param" content="form_token" />
|
||||
<meta name="csrf-token" content="secret" />
|
||||
DOM
|
||||
ensure
|
||||
self.request_forgery = false
|
||||
end
|
||||
|
||||
def test_csrf_meta_tags_without_protect_against_forgery_method
|
||||
self.class.undef_method(:protect_against_forgery?)
|
||||
|
||||
assert_dom_equal "", csrf_meta_tags
|
||||
ensure
|
||||
self.class.define_method(:protect_against_forgery?) { request_forgery }
|
||||
end
|
||||
|
||||
def protect_against_forgery?
|
||||
request_forgery
|
||||
end
|
||||
|
||||
def form_authenticity_token(*args)
|
||||
"secret"
|
||||
end
|
||||
|
||||
def request_forgery_protection_token
|
||||
"form_token"
|
||||
end
|
||||
end
|
|
@ -119,6 +119,16 @@ class UrlHelperTest < ActiveSupport::TestCase
|
|||
)
|
||||
end
|
||||
|
||||
def test_button_to_without_protect_against_forgery_method
|
||||
self.class.undef_method(:protect_against_forgery?)
|
||||
assert_dom_equal(
|
||||
%{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>},
|
||||
button_to("Hello", "http://www.example.com")
|
||||
)
|
||||
ensure
|
||||
self.class.define_method(:protect_against_forgery?) { request_forgery }
|
||||
end
|
||||
|
||||
def test_button_to_with_straight_url
|
||||
assert_dom_equal %{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>}, button_to("Hello", "http://www.example.com")
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue