Skip to content
Browse files

Move request forgery protection configuration to the AC config object

	This is an interim solution pending revisiting the rails
	framework configuration situation.
  • Loading branch information...
1 parent 0045f37 commit 01f0e47663bbbc593af0c36d4cf49124b200e3d8 Carl Lerche committed Mar 8, 2010
View
45 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -12,11 +12,10 @@ module RequestForgeryProtection
included do
# Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
# sets it to <tt>:authenticity_token</tt> by default.
- cattr_accessor :request_forgery_protection_token
+ config.request_forgery_protection_token ||= true
# Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
- class_attribute :allow_forgery_protection
- self.allow_forgery_protection = true
+ config.allow_forgery_protection ||= true
helper_method :form_authenticity_token
helper_method :protect_against_forgery?
@@ -80,9 +79,47 @@ def protect_from_forgery(options = {})
self.request_forgery_protection_token ||= :authenticity_token
before_filter :verify_authenticity_token, options
end
+
+ def request_forgery_protection_token
+ config.request_forgery_protection_token
+ end
+
+ def request_forgery_protection_token=(val)
+ config.request_forgery_protection_token = val
+ end
+
+ def allow_forgery_protection
+ config.allow_forgery_protection
+ end
+
+ def allow_forgery_protection=(val)
+ config.allow_forgery_protection = val
+ end
end
protected
+
+ def protect_from_forgery(options = {})
+ self.request_forgery_protection_token ||= :authenticity_token
+ before_filter :verify_authenticity_token, options
+ end
+
+ def request_forgery_protection_token
+ config.request_forgery_protection_token
+ end
+
+ def request_forgery_protection_token=(val)
+ config.request_forgery_protection_token = val
+ end
+
+ def allow_forgery_protection
+ config.allow_forgery_protection
+ end
+
+ def allow_forgery_protection=(val)
+ config.allow_forgery_protection = val
+ end
+
# The actual before_filter that is used. Modify this to change how you handle unverified requests.
def verify_authenticity_token
verified_request? || raise(ActionController::InvalidAuthenticityToken)
@@ -109,7 +146,7 @@ def form_authenticity_param
end
def protect_against_forgery?
- self.class.allow_forgery_protection
+ config.allow_forgery_protection
end
end
end
View
5 actionpack/lib/action_controller/railtie.rb
@@ -46,10 +46,11 @@ class Railtie < Rails::Railtie
initializer "action_controller.set_configs" do |app|
paths = app.config.paths
ac = app.config.action_controller
- ac.assets_dir = paths.public.to_a.first
+
+ ac.assets_dir = paths.public.to_a.first
ac.javascripts_dir = paths.public.javascripts.to_a.first
ac.stylesheets_dir = paths.public.stylesheets.to_a.first
- ac.secret = app.config.cookie_secret
+ ac.secret = app.config.cookie_secret
ActionController.base_hook { self.config.replace(ac) }
end

1 comment on commit 01f0e47

@josh
Ruby on Rails member
josh commented on 01f0e47 Mar 8, 2010
ivar_table.allow_forgery_protection = true
Please sign in to comment.
Something went wrong with that request. Please try again.