Permalink
Browse files

Don't append the forgery token to an ajax request if it's serializing…

… a form, prevents duplicate tokens. Closes #10684 [macournoyer]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 934706a commit 5ef8a81b846120b51b35503f5c2079036b321630 @NZKoz NZKoz committed Jan 8, 2008
View
4 actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -1019,7 +1019,7 @@ def options_for_ajax(options)
js_options['parameters'] = options[:with]
end
- if protect_against_forgery?
+ if protect_against_forgery? && !options[:form]
if js_options['parameters']
js_options['parameters'] << " + '&"
else
@@ -1204,7 +1204,7 @@ def zip(variable, *arguments, &block)
append_enumerable_function!("zip(#{arguments_for_call arguments}")
if block
function_chain[-1] += ", function(array) {"
- yield ::ActiveSupport::JSON::Variable.new('array')
+ yield ActiveSupport::JSON::Variable.new('array')
add_return_statement!
@generator << '});'
else
View
9 actionpack/test/controller/request_forgery_protection_test.rb
@@ -22,6 +22,10 @@ def show_button
render :inline => "<%= button_to('New', '/') {} %>"
end
+ def remote_form
+ render :inline => "<% form_remote_tag(:url => '/') {} %>"
+ end
+
def unsafe
render :text => 'pwn'
end
@@ -75,6 +79,11 @@ def test_should_render_button_to_with_token_tag
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
+ def test_should_render_remote_form_with_only_one_token_parameter
+ get :remote_form
+ assert_equal 1, @response.body.scan(@token).size
+ end
+
def test_should_allow_get
get :index
assert_response :success

0 comments on commit 5ef8a81

Please sign in to comment.