Permalink
Browse files

config.action_view.embed_authenticity_token_in_remote_forms is true b…

…y default

Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
to `false`. This change breaks remote forms that need to work also without javascript,
so if you need such behavior, you can either set it to `true` or explicitly pass
`:authenticity_token => true` in form options
  • Loading branch information...
1 parent 805b15f commit 128cfbdf4d316a544a76e5c58dbeac153f3d4e36 @drogus drogus committed Mar 28, 2012
View
@@ -1,5 +1,10 @@
## Rails 4.0.0 (unreleased) ##
+* Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
+ to `false`. This change breaks remote forms that need to work also without javascript,
+ so if you need such behavior, you can either set it to `true` or explicitly pass
+ `:authenticity_token => true` in form options
+
* Added ActionDispatch::SSL middleware that when included force all the requests to be under HTTPS protocol. *Rafael Mendonça França*
* Add `include_hidden` option to select tag. With `:include_hidden => false` select with `multiple` attribute doesn't generate hidden input with blank value. *Vasiliy Ermolovich*
@@ -19,7 +19,7 @@ module FormTagHelper
include TextHelper
mattr_accessor :embed_authenticity_token_in_remote_forms
- self.embed_authenticity_token_in_remote_forms = true
+ self.embed_authenticity_token_in_remote_forms = false
# Starts a form tag that points the action to an url configured with <tt>url_for_options</tt> just like
# ActionController::Base#url_for. The method for the form defaults to POST.
@@ -7,7 +7,7 @@ class Railtie < Rails::Railtie
config.action_view = ActiveSupport::OrderedOptions.new
config.action_view.stylesheet_expansions = {}
config.action_view.javascript_expansions = { :defaults => %w(jquery jquery_ujs) }
- config.action_view.embed_authenticity_token_in_remote_forms = true
+ config.action_view.embed_authenticity_token_in_remote_forms = false
initializer "action_view.embed_authenticity_token_in_remote_forms" do |app|
ActiveSupport.on_load(:action_view) do
@@ -116,42 +116,37 @@ def test_should_render_button_to_with_token_tag
assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
end
- def test_should_render_form_with_token_tag_if_remote
+ def test_should_render_form_without_token_tag_if_remote
assert_not_blocked do
get :form_for_remote
end
- assert_match(/authenticity_token/, response.body)
+ assert_no_match(/authenticity_token/, response.body)
end
- def test_should_render_form_without_token_tag_if_remote_and_embedding_token_is_off
+ def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_on
+ original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms
begin
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
assert_not_blocked do
get :form_for_remote
end
- assert_no_match(/authenticity_token/, response.body)
+ assert_match(/authenticity_token/, response.body)
ensure
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original
end
end
- def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_off_but_true_option_passed
- begin
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false
+ def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on
+ original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms
+ begin
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
assert_not_blocked do
- get :form_for_remote_with_token
+ get :form_for_remote_with_external_token
end
- assert_match(/authenticity_token/, response.body)
+ assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token'
ensure
- ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true
- end
- end
-
- def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested
- assert_not_blocked do
- get :form_for_remote_with_external_token
+ ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original
end
- assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token'
end
def test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested
@@ -395,7 +395,7 @@ And can reference in the view with the following code:
* +config.action_view.cache_asset_ids+ With the cache enabled, the asset tag helper methods will make fewer expensive file system calls (the default implementation checks the file system timestamp). However this prevents you from modifying any asset files while the server is running.
-* +config.action_view.embed_authenticity_token_in_remote_forms+ This is by default set to true. If you set it to false, authenticity_token will not be added to forms with +:remote => true+ by default. You can force +authenticity_token+ to be added to such remote form by passing +:authenticity_token => true+ option.
+* +config.action_view.embed_authenticity_token_in_remote_forms+ allows you to set the default behavior for +authenticity_token+ in forms with +:remote => true+. By default it's set to false, which means that remote forms will not include +authenticity_token+, which is helpful when you're fragment-caching the form. Remote forms get the authenticity from the +meta+ tag, so embedding is unnecessary unless you support browsers without JavaScript. In such case you can either pass +:authenticity_token => true+ as a form option or set this config setting to +true+
h4. Configuring Action Mailer

0 comments on commit 128cfbd

Please sign in to comment.