Permalink
Browse files

Moved the CSRF authenticity token to be generated on the form_tag helper

instead of form_for (the latter uses form_tag at the end anyway...).
Added tests too.
  • Loading branch information...
Darío Javier Cravero
Darío Javier Cravero committed Mar 13, 2013
1 parent 50eb3c8 commit b6ddd1617c9f81868c747bd28edaf35ed1951a6a
@@ -31,9 +31,7 @@ module FormHelpers
# @api public
def form_for(object, url, settings={}, &block)
instance = builder_instance(object, settings)
form_html = instance.csrf_token_field
form_html << capture_html(instance, &block)
form_tag(url, settings) { form_html }
form_tag(url, settings) { capture_html(instance, &block) }
end
##
@@ -83,8 +81,9 @@ def form_tag(url, options={}, &block)
options.reverse_merge!(:method => 'post', :action => url)
options[:enctype] = 'multipart/form-data' if options.delete(:multipart)
options['accept-charset'] ||= 'UTF-8'
inner_form_html = hidden_form_method_field(desired_method)
inner_form_html += mark_safe(capture_html(&block))
inner_form_html = hidden_form_method_field(desired_method)
inner_form_html << csrf_token_field
inner_form_html << mark_safe(capture_html(&block))
concat_content content_tag(:form, inner_form_html, options)
end
@@ -58,18 +58,21 @@ def app
visit '/erb/form_tag'
assert_have_selector 'form.simple-form', :action => '/simple'
assert_have_selector 'form.advanced-form', :action => '/advanced', :id => 'advanced', :method => 'get'
assert_have_selector :input, :name => 'authenticity_token'
end
should "display correct forms in haml" do
visit '/haml/form_tag'
assert_have_selector 'form.simple-form', :action => '/simple'
assert_have_selector 'form.advanced-form', :action => '/advanced', :id => 'advanced', :method => 'get'
assert_have_selector :input, :name => 'authenticity_token'
end
should "display correct forms in slim" do
visit '/slim/form_tag'
assert_have_selector 'form.simple-form', :action => '/simple'
assert_have_selector 'form.advanced-form', :action => '/advanced', :id => 'advanced', :method => 'get'
assert_have_selector :input, :name => 'authenticity_token'
end
end

0 comments on commit b6ddd16

Please sign in to comment.