1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/railties/test/rails_info_controller_test.rb
Jose and Yehuda 56cdc81c08 Remove default match without specified method
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes #5964
2012-04-24 22:52:26 -05:00

51 lines
1.3 KiB
Ruby

require 'abstract_unit'
module ActionController
class Base
include ActionController::Testing
end
end
class InfoControllerTest < ActionController::TestCase
tests Rails::InfoController
def setup
Rails.application.routes.draw do
get '/rails/info/properties' => "rails/info#properties"
end
@request.stubs(:local? => true)
@controller.stubs(:consider_all_requests_local? => false)
@routes = Rails.application.routes
Rails::InfoController.send(:include, @routes.url_helpers)
end
test "info controller does not allow remote requests" do
@request.stubs(:local? => false)
get :properties
assert_response :forbidden
end
test "info controller renders an error message when request was forbidden" do
@request.stubs(:local? => false)
get :properties
assert_select 'p'
end
test "info controller allows requests when all requests are considered local" do
@request.stubs(:local? => false)
@controller.stubs(:consider_all_requests_local? => true)
get :properties
assert_response :success
end
test "info controller allows local requests" do
get :properties
assert_response :success
end
test "info controller renders a table with properties" do
get :properties
assert_select 'table'
end
end