From 4775e7926df123ed60d98b9e43a46fc17276c033 Mon Sep 17 00:00:00 2001 From: Florian Gilcher Date: Sun, 10 Mar 2013 19:09:27 +0100 Subject: [PATCH] Add a `report` reaction This reaction does not halt the request, but leaves it up to the app to react on this information. This allows e.g. frameworks to ignore failures in certain conditions. --- lib/rack/protection/base.rb | 5 +++++ spec/protection_spec.rb | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/lib/rack/protection/base.rb b/lib/rack/protection/base.rb index fb097ab..76e35c5 100755 --- a/lib/rack/protection/base.rb +++ b/lib/rack/protection/base.rb @@ -11,6 +11,7 @@ class Base :message => 'Forbidden', :encryptor => Digest::SHA1, :session_key => 'rack.session', :status => 403, :allow_empty_referrer => true, + :report_key => "protection.failed", :html_types => %w[text/html application/xhtml] } @@ -63,6 +64,10 @@ def deny(env) [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]] end + def report(env) + env[options[:report_key]] = true + end + def session?(env) env.include? options[:session_key] end diff --git a/spec/protection_spec.rb b/spec/protection_spec.rb index 4e682fc..8ed6d3e 100755 --- a/spec/protection_spec.rb +++ b/spec/protection_spec.rb @@ -18,6 +18,18 @@ session.should be_empty end + it 'passes errors through if :reaction => :report is used' do + mock_app do + use Rack::Protection, :reaction => :report + run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] } + end + + session = {:foo => :bar} + post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com') + last_response.should be_ok + body.should == "true" + end + describe "#html?" do context "given an appropriate content-type header" do subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }