Permalink
Browse files

Add verification to scaffolds (generated and reflection based). Requi…

…re POST for unsafe actions [Michael Koziarski]. Closes #2601

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3864 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent e9d6fea commit c6abe81b1eebd741b2a36e6618bf6f1c07b87588 @NZKoz NZKoz committed Mar 14, 2006
View
@@ -1,5 +1,7 @@
*SVN*
+* Add Verification to scaffolds. Prevent destructive actions using GET [Michael Koziarski]
+
* Avoid hitting the filesystem when using layouts by using a File.directory? cache. [Stefan Kaes, Nicholas Seckar]
* Simplify ActionController::Base#controller_path [Nicholas Seckar]
@@ -98,6 +98,11 @@ def index
end
module_eval <<-"end_eval", __FILE__, __LINE__
+
+ verify :method=>:post, :only=>[:destroy#{suffix}, :create#{suffix}, :update#{suffix}],
+ :redirect_to=>{:action=>:list#{suffix}}
+
+
def list#{suffix}
@#{singular_name}_pages, @#{plural_name} = paginate :#{plural_name}, :per_page => 10
render#{suffix}_scaffold "list#{suffix}"
@@ -14,7 +14,7 @@
<% end %>
<td><%= link_to "Show", :action => "show#{@scaffold_suffix}", :id => entry %></td>
<td><%= link_to "Edit", :action => "edit#{@scaffold_suffix}", :id => entry %></td>
- <td><%= link_to "Destroy", {:action => "destroy#{@scaffold_suffix}", :id => entry}, {:confirm => "Are you sure?"} %></td>
+ <td><%= link_to "Destroy", {:action => "destroy#{@scaffold_suffix}", :id => entry}, {:confirm => "Are you sure?", :post=>true} %></td>
</tr>
<% end %>
</table>
View
@@ -1,5 +1,7 @@
*SVN*
+* Add verification to generated scaffolds, don't allow get for unsafe actions [Michael Koziarski]
+
* Don't replace application.js in public/javascripts if it already exists [Cody Fauser]
* Change test:uncommitted to delay execution of `svn status` by using internal Rake API's. [Nicholas Seckar]
@@ -11,6 +11,14 @@ def <%= action %><%= suffix %>
end
<% end -%>
+
+ # GET should only be used for operations which are 'safe', or read-only. So require
+ # post for all actions which change state.
+ #
+ # http://www.w3.org/2001/tag/doc/whenToUseGet.html
+ verify :method=>:post, :only=>[:destroy<%= suffix %>, :create<%= suffix %>, :update<%= suffix %>],
+ :redirect_to=> {:action=>:list<%= suffix %>}
+
def list<%= suffix %>
@<%= singular_name %>_pages, @<%= plural_name %> = paginate :<%= plural_name %>, :per_page => 10
end
@@ -14,7 +14,7 @@
<%% end %>
<td><%%= link_to 'Show', :action => 'show<%= suffix %>', :id => <%= singular_name %> %></td>
<td><%%= link_to 'Edit', :action => 'edit<%= suffix %>', :id => <%= singular_name %> %></td>
- <td><%%= link_to 'Destroy', { :action => 'destroy<%= suffix %>', :id => <%= singular_name %> }, :confirm => 'Are you sure?' %></td>
+ <td><%%= link_to 'Destroy', { :action => 'destroy<%= suffix %>', :id => <%= singular_name %> }, :confirm => 'Are you sure?', :post=>true %></td>
</tr>
<%% end %>
</table>

0 comments on commit c6abe81

Please sign in to comment.