Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8245 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2022-11-09 12:12:34 -05:00 · 2007-11-30 21:04:57 +00:00 · 2007-11-30 21:04:57 +00:00 · e03f13c553
commit e03f13c553
parent b6d255559e
3 changed files with 31 additions and 6 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@ -1,3 +1,8 @@
+*SVN*
+
+* Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH]
+
+
 *2.0.0 [RC2]* (November 28th, 2007)

 * Raise UnknownHttpMethod exception for unknown HTTP methods. Closes #10303 [tarmo]
--- a/actionpack/lib/action_controller/verification.rb
+++ b/actionpack/lib/action_controller/verification.rb
@ -12,7 +12,8 @@ module ActionController #:nodoc:
    # parameters being set, or without certain session values existing.
    #
    # When a verification is violated, values may be inserted into the flash, and
-    # a specified redirection is triggered.
+    # a specified redirection is triggered. If no specific action is configured,
+    # verification failures will by default result in a 400 Bad Request response.
    #
    # Usage:
    #
@ -81,7 +82,7 @@ module ActionController #:nodoc:
      prereqs_invalid =
        [*options[:params] ].find { |v| params[v].nil?  } ||
        [*options[:session]].find { |v| session[v].nil? } ||
-        [*options[:flash]  ].find { |v| flash[v].nil?    }
+        [*options[:flash]  ].find { |v| flash[v].nil?   }
      
      if !prereqs_invalid && options[:method]
        prereqs_invalid ||= 
@ -93,13 +94,21 @@ module ActionController #:nodoc:
      if prereqs_invalid
        flash.update(options[:add_flash]) if options[:add_flash]
        response.headers.update(options[:add_headers]) if options[:add_headers]
+
        unless performed?
-          render(options[:render]) if options[:render]
-          options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a? Symbol
-          redirect_to(options[:redirect_to]) if options[:redirect_to]
+          case
+          when options[:render]
+            render(options[:render])
+          when options[:redirect_to]
+            options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a?(Symbol)
+            redirect_to(options[:redirect_to])
+          else
+            head(:bad_request)
+          end
        end
      end
    end
+
    private :verify_action
  end
-end
+end
--- a/actionpack/test/controller/verification_test.rb
+++ b/actionpack/test/controller/verification_test.rb
@ -37,6 +37,8 @@ class VerificationTest < Test::Unit::TestCase
    verify :only => :guarded_one_for_named_route_test, :params => "one",
           :redirect_to => :foo_url

+    verify :only => :no_default_action, :params => "santa"
+
    def guarded_one
      render :text => "#{params[:one]}"
    end
@ -89,6 +91,10 @@ class VerificationTest < Test::Unit::TestCase
      render :text => "Was a post!"
    end
    
+    def no_default_action
+      # Will never run
+    end
+    
    protected
      def rescue_action(e) raise end

@ -229,6 +235,11 @@ class VerificationTest < Test::Unit::TestCase
    assert_equal "Was a post!", @response.body
  end
    
+  def test_default_failure_should_be_a_bad_request
+    post :no_default_action
+    assert_response :bad_request
+  end
+    
  def test_guarded_post_and_calls_render_fails_and_sets_allow_header
    get :must_be_post
    assert_response 405