Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_…

…from_forgery is used (closes #10739) [jeremyevans] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
rails · Jan 11, 2008 · 5d1a305 · 5d1a305
1 parent 104f31a
commit 5d1a305
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used #10739 [jeremyevans]
+
 * Provide nicer access to HTTP Headers.  Instead of request.env["HTTP_REFERRER"] you can now use request.headers["Referrer"]. [Koz]
 
 * UrlWriter respects relative_url_root.  #10748 [Cheah Chu Yeow]

diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb
@@ -56,6 +56,14 @@ def input(record_name, method, options = {})
       #     form << content_tag("b", "Department")
       #     form << collection_select("department", "id", @departments, "id", "name")
       #   end
+      #
+      # The following options are available:
+      #
+      # * <tt>action</tt> - the action used when submitting the form (default: create if a new record, otherwise update)
+      # * <tt>input_block</tt> - specialize the output using a different block, see above
+      # * <tt>method</tt> - the method used when submitting the form (default: post)
+      # * <tt>multipart</tt> - whether to change the enctype of the form to multipart/form-date, used when uploading a file (default: false)
+      # * <tt>submit_value</tt> - the text of the submit button (default: Create if a new record, otherwise Update)
       def form(record_name, options = {})
         record = instance_variable_get("@#{record_name}")
 
@@ -65,13 +73,12 @@ def form(record_name, options = {})
 
         submit_value = options[:submit_value] || options[:action].gsub(/[^\w]/, '').capitalize
 
-        contents = ''
+        contents = form_tag({:action => action}, :method =>(options[:method] || 'post'), :enctype => options[:multipart] ? 'multipart/form-data': nil)
         contents << hidden_field(record_name, :id) unless record.new_record?
         contents << all_input_tags(record, record_name, options)
         yield contents if block_given?
         contents << submit_tag(submit_value)
-
-        content_tag('form', contents, :action => action, :method => 'post', :enctype => options[:multipart] ? 'multipart/form-data': nil)
+        contents << '</form>'
       end
 
       # Returns a string containing the error message attached to the +method+ on the +object+ if one exists.

diff --git a/actionpack/test/template/active_record_helper_test.rb b/actionpack/test/template/active_record_helper_test.rb
@@ -86,6 +86,11 @@ def User.content_columns() [ Column.new(:string, "email", "Email") ] end
 
     @user.email = ""
   end
+
+  def protect_against_forgery?
+    @protect_against_forgery ? true : false
+  end
+  attr_accessor :request_forgery_protection_token, :form_authenticity_token
 
   def setup
     setup_post
@@ -140,6 +145,23 @@ def id() 1 end
       form("post")
     )
   end
+
+  def test_form_with_protect_against_forgery
+    @protect_against_forgery = true
+    @request_forgery_protection_token = 'authenticity_token'
+    @form_authenticity_token = '123'
+    assert_dom_equal(
+      %(<form action="create" method="post"><div style='margin:0;padding:0'><input type='hidden' name='authenticity_token' value='123' /></div><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>),
+      form("post")
+    )
+  end
+
+  def test_form_with_method_option
+    assert_dom_equal(
+      %(<form action="create" method="get"><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>),
+      form("post", :method=>'get')
+    )
+  end
 
   def test_form_with_action_option
     @response.body = form("post", :action => "sign")