Permalink
Browse files

Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_…

…from_forgery is used (closes #10739) [jeremyevans]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 104f31a commit 5d1a305f066daf5a60b2b1158d5d2aeae6fe32cb @dhh dhh committed Jan 11, 2008
@@ -1,5 +1,7 @@
*SVN*
+* Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used #10739 [jeremyevans]
+
* Provide nicer access to HTTP Headers. Instead of request.env["HTTP_REFERRER"] you can now use request.headers["Referrer"]. [Koz]
* UrlWriter respects relative_url_root. #10748 [Cheah Chu Yeow]
@@ -56,6 +56,14 @@ def input(record_name, method, options = {})
# form << content_tag("b", "Department")
# form << collection_select("department", "id", @departments, "id", "name")
# end
+ #
+ # The following options are available:
+ #
+ # * <tt>action</tt> - the action used when submitting the form (default: create if a new record, otherwise update)
+ # * <tt>input_block</tt> - specialize the output using a different block, see above
+ # * <tt>method</tt> - the method used when submitting the form (default: post)
+ # * <tt>multipart</tt> - whether to change the enctype of the form to multipart/form-date, used when uploading a file (default: false)
+ # * <tt>submit_value</tt> - the text of the submit button (default: Create if a new record, otherwise Update)
def form(record_name, options = {})
record = instance_variable_get("@#{record_name}")
@@ -65,13 +73,12 @@ def form(record_name, options = {})
submit_value = options[:submit_value] || options[:action].gsub(/[^\w]/, '').capitalize
- contents = ''
+ contents = form_tag({:action => action}, :method =>(options[:method] || 'post'), :enctype => options[:multipart] ? 'multipart/form-data': nil)
contents << hidden_field(record_name, :id) unless record.new_record?
contents << all_input_tags(record, record_name, options)
yield contents if block_given?
contents << submit_tag(submit_value)
-
- content_tag('form', contents, :action => action, :method => 'post', :enctype => options[:multipart] ? 'multipart/form-data': nil)
+ contents << '</form>'
end
# Returns a string containing the error message attached to the +method+ on the +object+ if one exists.
@@ -86,6 +86,11 @@ def User.content_columns() [ Column.new(:string, "email", "Email") ] end
@user.email = ""
end
+
+ def protect_against_forgery?
+ @protect_against_forgery ? true : false
+ end
+ attr_accessor :request_forgery_protection_token, :form_authenticity_token
def setup
setup_post
@@ -140,6 +145,23 @@ def id() 1 end
form("post")
)
end
+
+ def test_form_with_protect_against_forgery
+ @protect_against_forgery = true
+ @request_forgery_protection_token = 'authenticity_token'
+ @form_authenticity_token = '123'
+ assert_dom_equal(
+ %(<form action="create" method="post"><div style='margin:0;padding:0'><input type='hidden' name='authenticity_token' value='123' /></div><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>),
+ form("post")
+ )
+ end
+
+ def test_form_with_method_option
+ assert_dom_equal(
+ %(<form action="create" method="get"><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>),
+ form("post", :method=>'get')
+ )
+ end
def test_form_with_action_option
@response.body = form("post", :action => "sign")

0 comments on commit 5d1a305

Please sign in to comment.