New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for custom env settings to be set and simple csrf support #80
Conversation
too (Sinatra was throwing too many warnings otherwise).
through subsequent requests. - There's an env method that allows managing those in the same way that `header` works. - Added tests for that too. - Added a csrf method to automatically add everything a csrf token/request needs to work so you can save tons of lines in testing csrf enabled controllers.
Looks good to me 👍 |
The The |
Yeah, I agree #csrf might be a bit too specific but since I saw the auth As for #env, the problem is that if it doesn't happen at that level it On Monday, April 15, 2013, Bryan Helmkamp wrote:
Darío |
Yeah for CSRF the different to me is that authentication is an HTTP standard, whereas CSRF is not. For the |
Sorry for the late reply, lost track of this issue and it just came back to my head today!.. I think that it's important to expose The CSRF case couldn't be a better example. If you don't have access to An alternative to this would be to limit the scope and only allow for session values to be set in the same way that headers are being set. I can't think of other use cases off the top of my head. However, they might come up and instead of having to patch up new methods I reckon that it could be a good idea to leave it open. What do you think? Thanks |
OK, I'll take the |
Hey @brynary, just removed the csrf code. Let me know if you want me to issue a new PR with only one commit to make it even cleaner. :) Thanks for taking this one in. |
Allow for custom env settings to be set
Thanks! |
Hey @brynary,
How're things?
Helping @Rex37 trying to come on board using Padrino we've come across the need to test out controllers protected from CSRF.
From the rack-protection specs you can tell it's not that hard to do so but it clearly becomes a burden when you have to start setting all of that extra code
{'rack.session' => {:csrf => "b"}, 'HTTP_X_CSRF_TOKEN' => "b"})
for each unsafe method you test.This PR intends to cover that along by adding a
csrf
helper that allows a user to do something as simple as:and they can forget about csrf management for that test group until they clear it out with
csrf(false)
.In order to have the validation work fine, I needed two things: a header and a session value. The header was taken care by
header
but I just couldn't find a way of setting the session value across all of the requests.That is why I implemented an
env
method that allows you to set anything on the env object. I know this might sound risky but in all fairness, whomever is implementing the tests should know how to handle that.However, there might be another way of doing it that I'm just not aware of.
What do you think about this?
Thanks! :)