Permalink
Browse files

Merge branch 'protect_from_forgery' of https://github.com/macksmind/c…

…learance into macksmind-protect_from_forgery
  • Loading branch information...
2 parents c72c386 + 3e0b3bd commit 7ede20c6ab063256f63a2d24d9e5c0618d5c81c9 @croaky croaky committed Apr 16, 2011
Showing with 83 additions and 27 deletions.
  1. +1 −1 Gemfile
  2. +26 −26 Gemfile.lock
  3. +7 −0 lib/clearance/authentication.rb
  4. +49 −0 test/controllers/forgeries_controller_test.rb
View
@@ -2,7 +2,7 @@ source "http://rubygems.org"
gem "cucumber"
gem "aruba", "~> 0.2.7"
gem "rake"
-gem "rails", ">= 3.0.3"
+gem "rails", ">= 3.0.6"
gem "thin"
gem "shoulda"
gem "sqlite3"
View
@@ -2,32 +2,32 @@ GEM
remote: http://rubygems.org/
specs:
abstract (1.0.0)
- actionmailer (3.0.3)
- actionpack (= 3.0.3)
+ actionmailer (3.0.6)
+ actionpack (= 3.0.6)
mail (~> 2.2.9)
- actionpack (3.0.3)
- activemodel (= 3.0.3)
- activesupport (= 3.0.3)
+ actionpack (3.0.6)
+ activemodel (= 3.0.6)
+ activesupport (= 3.0.6)
builder (~> 2.1.2)
erubis (~> 2.6.6)
i18n (~> 0.4)
rack (~> 1.2.1)
rack-mount (~> 0.6.13)
rack-test (~> 0.5.6)
tzinfo (~> 0.3.23)
- activemodel (3.0.3)
- activesupport (= 3.0.3)
+ activemodel (3.0.6)
+ activesupport (= 3.0.6)
builder (~> 2.1.2)
i18n (~> 0.4)
- activerecord (3.0.3)
- activemodel (= 3.0.3)
- activesupport (= 3.0.3)
+ activerecord (3.0.6)
+ activemodel (= 3.0.6)
+ activesupport (= 3.0.6)
arel (~> 2.0.2)
tzinfo (~> 0.3.23)
- activeresource (3.0.3)
- activemodel (= 3.0.3)
- activesupport (= 3.0.3)
- activesupport (3.0.3)
+ activeresource (3.0.6)
+ activemodel (= 3.0.6)
+ activesupport (= 3.0.6)
+ activesupport (3.0.6)
arel (2.0.6)
aruba (0.2.8)
childprocess (~> 0.1.6)
@@ -58,7 +58,7 @@ GEM
culerity (0.2.14)
daemons (1.1.0)
diesel (0.1.4)
- railties (~> 3.0.3)
+ railties (~> 3.0.6)
diff-lcs (1.1.2)
dynamic_form (1.1.3)
erubis (2.6.6)
@@ -93,17 +93,17 @@ GEM
rack (>= 1.0.0)
rack-test (0.5.7)
rack (>= 1.0)
- rails (3.0.3)
- actionmailer (= 3.0.3)
- actionpack (= 3.0.3)
- activerecord (= 3.0.3)
- activeresource (= 3.0.3)
- activesupport (= 3.0.3)
+ rails (3.0.6)
+ actionmailer (= 3.0.6)
+ actionpack (= 3.0.6)
+ activerecord (= 3.0.6)
+ activeresource (= 3.0.6)
+ activesupport (= 3.0.6)
bundler (~> 1.0)
- railties (= 3.0.3)
- railties (3.0.3)
- actionpack (= 3.0.3)
- activesupport (= 3.0.3)
+ railties (= 3.0.6)
+ railties (3.0.6)
+ actionpack (= 3.0.6)
+ activesupport (= 3.0.6)
rake (>= 0.8.7)
thor (~> 0.14.4)
rake (0.8.7)
@@ -154,7 +154,7 @@ DEPENDENCIES
factory_girl_rails
launchy
mocha
- rails (>= 3.0.3)
+ rails (>= 3.0.6)
rake
rspec-rails
shoulda
@@ -92,6 +92,13 @@ def deny_access(flash_message = nil)
protected
+ # Rails <= 3.0.3 raises ActionController::InvalidAuthenticityToken in super
+ # Rails >= 3.0.4 simply resets the session, so we need an extra step
+ def handle_unverified_request
+ super
+ sign_out
+ end
+
def user_from_cookie
if token = cookies[:remember_token]
::User.find_by_remember_token(token)
@@ -0,0 +1,49 @@
+require 'test_helper'
+
+class ForgeriesController < ActionController::Base
+ include Clearance::Authentication
+ protect_from_forgery
+ before_filter :authenticate
+
+ # This is off in test by default, but we need it for this test
+ self.allow_forgery_protection = true
+
+ def create
+ redirect_to :action => 'index'
+ end
+end
+
+class ForgeriesControllerTest < ActionController::TestCase
+ context "signed in user" do
+ setup do
+ Rails.application.routes.draw do
+ resources :forgeries
+ match 'sign_in' => 'clearance/sessions#new', :as => 'sign_in'
+ end
+
+ @user = Factory(:user)
+ @user.update_attribute(:remember_token, "old-token")
+ @request.cookies["remember_token"] = "old-token"
+ @request.session[:_csrf_token] = "golden-ticket"
+ end
+
+ teardown do
+ Rails.application.reload_routes!
+ end
+
+ should "succeed with authentic token" do
+ post :create, :authenticity_token => "golden-ticket"
+ assert_redirected_to :action => 'index'
+ end
+
+ should "redirect to sign_in with invalid token" do
+ post :create, :authenticity_token => "hax0r"
+ assert_redirected_to sign_in_url
+ end
+
+ should "redirect to sign_in with no token" do
+ post :create
+ assert_redirected_to sign_in_url
+ end
+ end
+end

0 comments on commit 7ede20c

Please sign in to comment.