Skip to content
Browse files

Expose CSRF tag for UJS adapters

  • Loading branch information...
1 parent 127e534 commit 78de17cf7095af8e86d192af8d8fbe21e6f193d9 @jeremy jeremy committed Feb 4, 2010
View
2 actionpack/lib/action_view/helpers.rb
@@ -7,6 +7,7 @@ module Helpers #:nodoc:
autoload :AtomFeedHelper, 'action_view/helpers/atom_feed_helper'
autoload :CacheHelper, 'action_view/helpers/cache_helper'
autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+ autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
autoload :DateHelper, 'action_view/helpers/date_helper'
autoload :DebugHelper, 'action_view/helpers/debug_helper'
autoload :FormHelper, 'action_view/helpers/form_helper'
@@ -40,6 +41,7 @@ module ClassMethods
include AtomFeedHelper
include CacheHelper
include CaptureHelper
+ include CsrfHelper
include DateHelper
include DebugHelper
include FormHelper
View
12 actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -0,0 +1,12 @@
+module ActionView
+ module Helpers
+ module CsrfHelper
+ # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
+ def csrf_meta_tag
+ if protect_against_forgery?
+ %(<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+ end
+ end
+ end
+ end
+end
View
16 actionpack/test/controller/request_forgery_protection_test.rb
@@ -15,13 +15,17 @@ def unsafe
render :text => 'pwn'
end
+ def meta
+ render :inline => "<%= csrf_meta_tag %>"
+ end
+
def rescue_action(e) raise e end
end
# sample controllers
class RequestForgeryProtectionController < ActionController::Base
include RequestForgeryProtectionActions
- protect_from_forgery :only => :index
+ protect_from_forgery :only => %w(index meta)
end
class FreeCookieController < RequestForgeryProtectionController
@@ -211,6 +215,11 @@ def setup
ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
ActionController::Base.request_forgery_protection_token = :authenticity_token
end
+
+ test 'should emit a csrf-token meta tag' do
+ get :meta
+ assert_equal %(<meta name="csrf-token" content="#{@token}"/>), @response.body
+ end
end
class FreeCookieControllerTest < ActionController::TestCase
@@ -238,6 +247,11 @@ def test_should_allow_all_methods_without_token
assert_nothing_raised { send(method, :index)}
end
end
+
+ test 'should not emit a csrf-token meta tag' do
+ get :meta
+ assert @response.body.blank?
+ end
end
class CustomAuthenticityParamControllerTest < ActionController::TestCase
View
1 railties/lib/generators/erb/scaffold/templates/layout.html.erb
@@ -4,6 +4,7 @@
<title><%= controller_class_name %>: <%%= controller.action_name %></title>
<%%= stylesheet_link_tag 'scaffold' %>
<%%= javascript_include_tag :defaults %>
+ <%%= csrf_meta_tag %>
</head>
<body>

0 comments on commit 78de17c

Please sign in to comment.
Something went wrong with that request. Please try again.