Permalink
Browse files

RequestForgeryProtection now works with the new base

  • Loading branch information...
1 parent 886eeed commit 59b32f2883b58a1e7bf2c246801a605b673e3fb6 @lifo lifo committed May 21, 2009
View
@@ -63,7 +63,7 @@ Rake::TestTask.new(:test_new_base_on_old_tests) do |t|
t.test_files = %w(
addresses_render base benchmark caching capture content_type dispatcher
flash mime_responds record_identifier redirect render rescue url_rewriter
- webservice verification
+ webservice verification request_forgery_protection
).map { |name| "test/controller/#{name}_test.rb" }
end
@@ -3,12 +3,26 @@ class InvalidAuthenticityToken < ActionControllerError #:nodoc:
end
module RequestForgeryProtection
- def self.included(base)
- base.class_eval do
- helper_method :form_authenticity_token
- helper_method :protect_against_forgery?
+ extend ActiveSupport::DependencyModule
+
+ # TODO : Remove the defined? check when new base is the main base
+ if defined?(ActionController::Http)
+ depends_on AbstractController::Helpers, Session
+ end
+
+ included do
+ if defined?(ActionController::Http)
+ # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
+ # sets it to <tt>:authenticity_token</tt> by default.
+ cattr_accessor :request_forgery_protection_token
+
+ # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
+ class_inheritable_accessor :allow_forgery_protection
+ self.allow_forgery_protection = true
end
- base.extend(ClassMethods)
+
+ helper_method :form_authenticity_token
+ helper_method :protect_against_forgery?
end
# Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
@@ -25,8 +25,9 @@ module ActionController
autoload :UrlRewriter, 'action_controller/routing/generation/url_rewriter'
autoload :UrlWriter, 'action_controller/routing/generation/url_rewriter'
- autoload :Verification, 'action_controller/base/verification'
- autoload :Flash, 'action_controller/base/chained/flash'
+ autoload :Verification, 'action_controller/base/verification'
+ autoload :Flash, 'action_controller/base/chained/flash'
+ autoload :RequestForgeryProtection, 'action_controller/base/request_forgery_protection'
require 'action_controller/routing'
end
@@ -14,10 +14,6 @@ class Base < Http
include ActionController::Layouts
include ActionController::ConditionalGet
- include ActionController::Session
- include ActionController::Flash
- include ActionController::Verification
-
# Legacy modules
include SessionManagement
include ActionDispatch::StatusCodes
@@ -27,6 +23,11 @@ class Base < Http
# Rails 2.x compatibility
include ActionController::Rails2Compatibility
+ include ActionController::Session
+ include ActionController::Flash
+ include ActionController::Verification
+ include ActionController::RequestForgeryProtection
+
# TODO: Extract into its own module
# This should be moved together with other normalizing behavior
module ImplicitRender
@@ -1,7 +1,10 @@
module ActionController
module Rails2Compatibility
extend ActiveSupport::DependencyModule
-
+
+ class ::ActionController::ActionControllerError < StandardError #:nodoc:
+ end
+
# Temporary hax
included do
::ActionController::UnknownAction = ::AbstractController::ActionNotFound
@@ -65,7 +68,6 @@ def template
end
module ClassMethods
- def protect_from_forgery() end
def consider_all_requests_local() end
def rescue_action(env)
raise env["action_dispatch.rescue.exception"]
@@ -46,6 +46,7 @@ module ActionDispatch
autoload :ShowExceptions, 'action_dispatch/middleware/show_exceptions'
autoload :MiddlewareStack, 'action_dispatch/middleware/stack'
+ autoload :HTML, 'action_controller/vendor/html-scanner'
autoload :Assertions, 'action_dispatch/testing/assertions'
autoload :TestRequest, 'action_dispatch/testing/test_request'
autoload :TestResponse, 'action_dispatch/testing/test_response'

0 comments on commit 59b32f2

Please sign in to comment.