authenticity_token option for form_tag [#2988 state:resolved]

rails · Dec 27, 2010 · 5106ce88e44286b88e5c2e2c261deb7e28392994 · 5106ce8
1 parent 5d1d9bf
commit 5106ce88e44286b88e5c2e2c261deb7e28392994
Unified Split

Showing with 37 additions and 5 deletions.

+2 −0 actionpack/CHANGELOG

+17 −5 actionpack/lib/action_view/helpers/form_tag_helper.rb

+18 −0 actionpack/test/controller/request_forgery_protection_test.rb
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *Rails 3.1.0 (unreleased)*

+* Add an :authenticity_token option to form_tag for custom handling or to omit the token (pass :authenticity_token => false).  [Jakub Kuźma, Igor Wiedler]
+
 * HTML5 button_tag helper. [Rizwan Reza]

 * Template lookup now searches further up in the inheritance chain. [Artemave]
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -25,6 +25,9 @@ module FormTagHelper
      # * <tt>:method</tt> - The method to use when submitting the form, usually either "get" or "post".
      #   If "put", "delete", or another verb is used, a hidden input with name <tt>_method</tt>
      #   is added to simulate the verb over post.
+      # * <tt>:authenticity_token</tt> - Authenticity token to use in the form. Use only if you need to
+      #   pass custom authenticity token string, or to not add authenticity_token field at all
+      #   (by passing <tt>false</tt>).
      # * A list of parameters to feed to the URL the form will be posted to.
      # * <tt>:remote</tt> - If set to true, will allow the Unobtrusive JavaScript drivers to control the
      #   submit behaviour. By default this behaviour is an ajax submit.
@@ -47,6 +50,12 @@ module FormTagHelper
      #  <%= form_tag('/posts', :remote => true) %>
      #   # => <form action="/posts" method="post" data-remote="true">
      #
+      #   form_tag('http://far.away.com/form', :authenticity_token => false)
+      #   # form without authenticity token
+      #
+      #   form_tag('http://far.away.com/form', :authenticity_token => "cf50faa3fe97702ca1ae")
+      #   # form with custom authenticity token
+      #
      def form_tag(url_for_options = {}, options = {}, *parameters_for_url, &block)
        html_options = html_options_for_form(url_for_options, options, *parameters_for_url)
        if block_given?
@@ -584,13 +593,15 @@ def html_options_for_form(url_for_options, options, *parameters_for_url)
            html_options["action"]  = url_for(url_for_options, *parameters_for_url)
            html_options["accept-charset"] = "UTF-8"
            html_options["data-remote"] = true if html_options.delete("remote")
+            html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
          end
        end

        def extra_tags_for_form(html_options)
          snowman_tag = tag(:input, :type => "hidden",
                            :name => "utf8", :value => "&#x2713;".html_safe)

+          authenticity_token = html_options.delete("authenticity_token")
          method = html_options.delete("method").to_s

          method_tag = case method
@@ -599,10 +610,10 @@ def extra_tags_for_form(html_options)
              ''
            when /^post$/i, "", nil
              html_options["method"] = "post"
-              token_tag
+              token_tag(authenticity_token)
            else
              html_options["method"] = "post"
-              tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag
+              tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag(authenticity_token)
          end

          tags = snowman_tag << method_tag
@@ -622,11 +633,12 @@ def form_tag_in_block(html_options, &block)
          output.safe_concat("</form>")
        end

-        def token_tag
-          unless protect_against_forgery?
+        def token_tag(token)
+          if token == false || !protect_against_forgery?
            ''
          else
-            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
+            token = form_authenticity_token if token.nil?
+            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token)
          end
        end

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -12,6 +12,14 @@ def show_button
    render :inline => "<%= button_to('New', '/') {} %>"
  end

+  def external_form
+    render :inline => "<%= form_tag('http://farfar.away/form', :authenticity_token => 'external_token') {} %>"
+  end
+
+  def external_form_without_protection
+    render :inline => "<%= form_tag('http://farfar.away/form', :authenticity_token => false) {} %>"
+  end
+
  def unsafe
    render :text => 'pwn'
  end
@@ -65,6 +73,16 @@ def test_should_render_button_to_with_token_tag
    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
  end

+  def test_should_render_external_form_with_external_token
+    get :external_form
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', 'external_token'
+  end
+
+  def test_should_render_external_form_without_token
+    get :external_form_without_protection
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+
  def test_should_allow_get
    get :index
    assert_response :success