Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Cover one more case in auth_token and remote forms

If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.
  • Loading branch information...
commit db2c1354eb37bc2f5747a2b3faaa7964ed0df986 1 parent 84ca8c8
@drogus drogus authored
View
2  actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -622,7 +622,7 @@ def html_options_for_form(url_for_options, options)
if html_options["data-remote"] &&
!embed_authenticity_token_in_remote_forms &&
- html_options["authenticity_token"] != true
+ html_options["authenticity_token"].blank?
# The authenticity token is taken from the meta tag in this case
html_options["authenticity_token"] = false
elsif html_options["authenticity_token"] == true
View
38 actionpack/test/controller/request_forgery_protection_test.rb
@@ -127,27 +127,33 @@ def test_should_render_form_with_token_tag_if_remote
end
def test_should_render_form_without_token_tag_if_remote_and_embedding_token_is_off
- begin
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
- assert_not_blocked do
- get :form_for_remote
- end
- assert_no_match(/authenticity_token/, response.body)
- ensure
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+ assert_not_blocked do
+ get :form_for_remote
end
+ assert_no_match(/authenticity_token/, response.body)
+ ensure
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
end
def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_off_but_true_option_passed
- begin
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
- assert_not_blocked do
- get :form_for_remote_with_token
- end
- assert_match(/authenticity_token/, response.body)
- ensure
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+ assert_not_blocked do
+ get :form_for_remote_with_token
end
+ assert_match(/authenticity_token/, response.body)
+ ensure
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
+ end
+
+ def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_off
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+ assert_not_blocked do
+ get :form_for_remote_with_external_token
+ end
+ assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token'
+ ensure
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
end
def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested
Please sign in to comment.
Something went wrong with that request. Please try again.