Allow CSRFTokenSupport-derived traits to redefine the forgery test.

This commit does not include any additional tests as the semantics should not change. The forgery test was exposed to derived types.
yanana · Mar 24, 2011 · caf6772 · caf6772
1 parent 36b1fb5
commit caf6772
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/core/src/main/scala/org/scalatra/CSRFTokenSupport.scala b/core/src/main/scala/org/scalatra/CSRFTokenSupport.scala
@@ -26,13 +26,31 @@ trait CSRFTokenSupport { self: ScalatraKernel =>
   protected def csrfToken = session(csrfKey).asInstanceOf[String]
 
   before {
-    if (request.isWrite && session.get(csrfKey) != params.get(csrfKey))
-      halt(403, "Request tampering detected!")
+    if (isForged) {
+      handleForgery()
+    }
     prepareCSRFToken
   }
 
+  /**
+   * Test whether a POST request is a potential cross-site forgery.
+   *
+   * @return Returns true if the POST request is suspect.
+   */
+  protected def isForged: Boolean = {
+    request.isWrite && session.get(csrfKey) != params.get(csrfKey)
+  }
+
+  /**
+   * Take an action when a forgery is detected. The default action
+   * halts further request processing and returns a 403 HTTP status code.
+   */
+  protected def handleForgery() {
+    halt(403, "Request tampering detected!")
+  }
+
   protected def prepareCSRFToken = {
     session.getOrElseUpdate(csrfKey, GenerateId())
   }
 
-}
+}