Add a `report` reaction

This reaction does not halt the request, but leaves it up to the app to react on this information. This allows e.g. frameworks to ignore failures in certain conditions.
2013-03-10 19:09:27 +01:00 · 2013-03-10 19:09:27 +01:00 · 3835ec3ea8
parent b4dc4f360e
commit 3835ec3ea8
2 changed files with 17 additions and 0 deletions
--- a/rack-protection/lib/rack/protection/base.rb
+++ b/rack-protection/lib/rack/protection/base.rb
@ -11,6 +11,7 @@ module Rack
        :message     => 'Forbidden',       :encryptor => Digest::SHA1,
        :session_key => 'rack.session',    :status    => 403,
        :allow_empty_referrer => true,
+        :report_key           => "protection.failed",
        :html_types           => %w[text/html application/xhtml]
      }

@ -63,6 +64,10 @@ module Rack
        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
      end

+      def report(env)
+        env[options[:report_key]] = true
+      end
+
      def session?(env)
        env.include? options[:session_key]
      end
--- a/rack-protection/spec/protection_spec.rb
+++ b/rack-protection/spec/protection_spec.rb
@ -18,6 +18,18 @@ describe Rack::Protection do
    session.should be_empty
  end

+  it 'passes errors through if :reaction => :report is used' do
+    mock_app do
+      use Rack::Protection, :reaction => :report
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+    end
+
+    session = {:foo => :bar}
+    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+    last_response.should be_ok
+    body.should == "true"
+  end
+
  describe "#html?" do
    context "given an appropriate content-type header" do
      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }