Add a report reaction

This reaction does not halt the request, but leaves it up to the app to react on this information. This allows e.g. frameworks to ignore failures in certain conditions.
sinatra · Mar 10, 2013 · 4775e79 · 4775e79
1 parent dac9197
commit 4775e79
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/lib/rack/protection/base.rb b/lib/rack/protection/base.rb
@@ -11,6 +11,7 @@ class Base
         :message     => 'Forbidden',       :encryptor => Digest::SHA1,
         :session_key => 'rack.session',    :status    => 403,
         :allow_empty_referrer => true,
+        :report_key           => "protection.failed",
         :html_types           => %w[text/html application/xhtml]
       }
 
@@ -63,6 +64,10 @@ def deny(env)
         [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
       end
 
+      def report(env)
+        env[options[:report_key]] = true
+      end
+
       def session?(env)
         env.include? options[:session_key]
       end

diff --git a/spec/protection_spec.rb b/spec/protection_spec.rb
@@ -18,6 +18,18 @@
     session.should be_empty
   end
 
+  it 'passes errors through if :reaction => :report is used' do
+    mock_app do
+      use Rack::Protection, :reaction => :report
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+    end
+
+    session = {:foo => :bar}
+    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+    last_response.should be_ok
+    body.should == "true"
+  end
+
   describe "#html?" do
     context "given an appropriate content-type header" do
       subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }