mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
56cdc81c08
In the current router DSL, using the +match+ DSL method will match all verbs for the path to the specified endpoint. In the vast majority of cases, people are currently using +match+ when they actually mean +get+. This introduces security implications. This commit disallows calling +match+ without an HTTP verb constraint by default. To explicitly match all verbs, this commit also adds a :via => :all option to +match+. Closes #5964
44 lines
1.1 KiB
Ruby
44 lines
1.1 KiB
Ruby
require 'abstract_unit'
|
|
|
|
module TestUrlGeneration
|
|
class WithMountPoint < ActionDispatch::IntegrationTest
|
|
Routes = ActionDispatch::Routing::RouteSet.new
|
|
Routes.draw { get "/foo", :to => "my_route_generating#index", :as => :foo }
|
|
|
|
class ::MyRouteGeneratingController < ActionController::Base
|
|
include Routes.url_helpers
|
|
def index
|
|
render :text => foo_path
|
|
end
|
|
end
|
|
|
|
include Routes.url_helpers
|
|
|
|
def _routes
|
|
Routes
|
|
end
|
|
|
|
def app
|
|
Routes
|
|
end
|
|
|
|
test "generating URLS normally" do
|
|
assert_equal "/foo", foo_path
|
|
end
|
|
|
|
test "accepting a :script_name option" do
|
|
assert_equal "/bar/foo", foo_path(:script_name => "/bar")
|
|
end
|
|
|
|
test "the request's SCRIPT_NAME takes precedence over the routes'" do
|
|
get "/foo", {}, 'SCRIPT_NAME' => "/new", 'action_dispatch.routes' => Routes
|
|
assert_equal "/new/foo", response.body
|
|
end
|
|
|
|
test "handling http protocol with https set" do
|
|
https!
|
|
assert_equal "http://www.example.com/foo", foo_url(:protocol => "http")
|
|
end
|
|
end
|
|
end
|
|
|