Skip to content
This repository
Browse code

Added tests for form_for and an authenticity_token option. Added docs…

… for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers.

[#6228 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
  • Loading branch information...
commit b9309b47cda12db34ac3427fbafff2dca0314ed7 1 parent 5af31f3
Timothy N. Tsvetkov authored February 05, 2011 spastorino committed February 05, 2011
18  actionpack/lib/action_view/helpers/form_helper.rb
@@ -298,6 +298,24 @@ module FormHelper
298 298
       #
299 299
       # If you don't need to attach a form to a model instance, then check out
300 300
       # FormTagHelper#form_tag.
  301
+      #
  302
+      # === Form to external resources
  303
+      #
  304
+      # When you build forms to external resources sometimes you need to set an authenticity token or just render a form
  305
+      # without it, for example when you submit data to a payment gateway number and types of fields could be limited.
  306
+      #
  307
+      # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter in the <tt>:html</tt>
  308
+      # options section:
  309
+      #
  310
+      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f|
  311
+      #     ...
  312
+      #   <% end %>
  313
+      #
  314
+      # If you don't want to an authenticity token field be rendered at all just pass <tt>false</tt>:
  315
+      #
  316
+      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f|
  317
+      #     ...
  318
+      #   <% end %>
301 319
       def form_for(record, options = {}, &proc)
302 320
         raise ArgumentError, "Missing block" unless block_given?
303 321
 
18  actionpack/test/controller/request_forgery_protection_test.rb
@@ -28,6 +28,14 @@ def meta
28 28
     render :inline => "<%= csrf_meta_tags %>"
29 29
   end
30 30
 
  31
+  def external_form_for
  32
+    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>"
  33
+  end
  34
+
  35
+  def form_for_without_protection
  36
+    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>"
  37
+  end
  38
+
31 39
   def rescue_action(e) raise e end
32 40
 end
33 41
 
@@ -68,6 +76,16 @@ def test_should_render_form_with_token_tag
68 76
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
69 77
   end
70 78
 
  79
+  def test_should_render_external_form_for_with_external_token
  80
+    get :external_form_for
  81
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', 'external_token'
  82
+  end
  83
+
  84
+  def test_should_render_form_for_without_token_tag
  85
+    get :form_for_without_protection
  86
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
  87
+  end
  88
+
71 89
   def test_should_render_button_to_with_token_tag
72 90
     get :show_button
73 91
     assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
36  railties/guides/source/form_helpers.textile
Source Rendered
@@ -9,6 +9,7 @@ In this guide you will:
9 9
 * Generate select boxes from multiple types of data
10 10
 * Understand the date and time helpers Rails provides
11 11
 * Learn what makes a file upload form different
  12
+* Learn some cases of building forms to external resources
12 13
 * Find out where to look for complex forms
13 14
 
14 15
 endprologue.
@@ -763,6 +764,40 @@ As a shortcut you can append [] to the name and omit the +:index+ option. This i
763 764
 
764 765
 produces exactly the same output as the previous example.
765 766
 
  767
+h3. Forms to external resources
  768
+
  769
+If you need to post some data to an external resource it is still great to build your from using rails form helpers. But sometimes you need to set an +authenticity_token+ for this resource. You can do it by passing an +:authenticity_token => 'your_external_token'+ parameter to the +form_tag+ options:
  770
+
  771
+<erb>
  772
+<%= form_tag 'http://farfar.away/form', :authenticity_token => 'external_token') do %>
  773
+  Form contents
  774
+<% end %>
  775
+</erb>
  776
+
  777
+Sometimes when you submit data to an external resource, like payment gateway, fields you can use in your form are limited by an external API. So you may want not to generate an +authenticity_token+ hidden field at all. For doing this just pass +false+ to the +:authenticity_token+ option:
  778
+
  779
+<erb>
  780
+<%= form_tag 'http://farfar.away/form', :authenticity_token => 'external_token') do %>
  781
+  Form contents
  782
+<% end %>
  783
+</erb>
  784
+
  785
+The same technique is available for the +form_for+ too. You need just to set an +authenticity_token+ through +html+ options:
  786
+
  787
+<erb>
  788
+<%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f|
  789
+  Form contents
  790
+<% end %>
  791
+</erb>
  792
+
  793
+Or if you don't want to render an +authenticity_token+ field:
  794
+
  795
+<erb>
  796
+<%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f|
  797
+  Form contents
  798
+<% end %>
  799
+</erb>
  800
+
766 801
 h3. Building Complex Forms
767 802
 
768 803
 Many apps grow beyond simple forms editing a single object. For example when creating a Person you might want to allow the user to (on the same form) create multiple address records (home, work, etc.). When later editing that person the user should be able to add, remove or amend addresses as necessary. While this guide has shown you all the pieces necessary to handle this, Rails does not yet have a standard end-to-end way of accomplishing this, but many have come up with viable approaches. These include:
@@ -776,6 +811,7 @@ Many apps grow beyond simple forms editing a single object. For example when cre
776 811
 
777 812
 h3. Changelog
778 813
 
  814
+* February 5, 2011: Added 'Forms to external resources' section. Timothy N. Tsvetkov <timothy.tsvetkov@gmail.com>
779 815
 * April 6, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":http://jaimeiniesta.com
780 816
 
781 817
 h3. Authors

0 notes on commit b9309b4

Please sign in to comment.
Something went wrong with that request. Please try again.