@@ -25,6 +25,9 @@ module FormTagHelper
25
25
# * <tt>:method</tt> - The method to use when submitting the form, usually either "get" or "post".
26
26
# If "put", "delete", or another verb is used, a hidden input with name <tt>_method</tt>
27
27
# is added to simulate the verb over post.
28
+ # * <tt>:authenticity_token</tt> - Authenticity token to use in the form. Use only if you need to
29
+ # pass custom authenticity token string, or to not add authenticity_token field at all
30
+ # (by passing <tt>false</tt>).
28
31
# * A list of parameters to feed to the URL the form will be posted to.
29
32
# * <tt>:remote</tt> - If set to true, will allow the Unobtrusive JavaScript drivers to control the
30
33
# submit behaviour. By default this behaviour is an ajax submit.
@@ -47,6 +50,12 @@ module FormTagHelper
47
50
# <%= form_tag('/posts', :remote => true) %>
48
51
# # => <form action="/posts" method="post" data-remote="true">
49
52
#
53
+ # form_tag('http://far.away.com/form', :authenticity_token => false)
54
+ # # form without authenticity token
55
+ #
56
+ # form_tag('http://far.away.com/form', :authenticity_token => "cf50faa3fe97702ca1ae")
57
+ # # form with custom authenticity token
58
+ #
50
59
def form_tag ( url_for_options = { } , options = { } , *parameters_for_url , &block )
51
60
html_options = html_options_for_form ( url_for_options , options , *parameters_for_url )
52
61
if block_given?
@@ -584,13 +593,15 @@ def html_options_for_form(url_for_options, options, *parameters_for_url)
584
593
html_options [ "action" ] = url_for ( url_for_options , *parameters_for_url )
585
594
html_options [ "accept-charset" ] = "UTF-8"
586
595
html_options [ "data-remote" ] = true if html_options . delete ( "remote" )
596
+ html_options [ "authenticity_token" ] = html_options . delete ( "authenticity_token" ) if html_options . has_key? ( "authenticity_token" )
587
597
end
588
598
end
589
599
590
600
def extra_tags_for_form ( html_options )
591
601
snowman_tag = tag ( :input , :type => "hidden" ,
592
602
:name => "utf8" , :value => "✓" . html_safe )
593
603
604
+ authenticity_token = html_options . delete ( "authenticity_token" )
594
605
method = html_options . delete ( "method" ) . to_s
595
606
596
607
method_tag = case method
@@ -599,10 +610,10 @@ def extra_tags_for_form(html_options)
599
610
''
600
611
when /^post$/i , "" , nil
601
612
html_options [ "method" ] = "post"
602
- token_tag
613
+ token_tag ( authenticity_token )
603
614
else
604
615
html_options [ "method" ] = "post"
605
- tag ( :input , :type => "hidden" , :name => "_method" , :value => method ) + token_tag
616
+ tag ( :input , :type => "hidden" , :name => "_method" , :value => method ) + token_tag ( authenticity_token )
606
617
end
607
618
608
619
tags = snowman_tag << method_tag
@@ -622,11 +633,12 @@ def form_tag_in_block(html_options, &block)
622
633
output . safe_concat ( "</form>" )
623
634
end
624
635
625
- def token_tag
626
- unless protect_against_forgery?
636
+ def token_tag ( token )
637
+ if token == false || ! protect_against_forgery?
627
638
''
628
639
else
629
- tag ( :input , :type => "hidden" , :name => request_forgery_protection_token . to_s , :value => form_authenticity_token )
640
+ token = form_authenticity_token if token . nil?
641
+ tag ( :input , :type => "hidden" , :name => request_forgery_protection_token . to_s , :value => token )
630
642
end
631
643
end
632
644
0 commit comments