Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value
This commit is contained in:
parent
e1824c5991
commit
a4c120f165
@ -89,6 +89,9 @@
|
||||
* check_box with `:form` html5 attribute will now replicate the `:form`
|
||||
attribute to the hidden field as well. *Carlos Antonio da Silva*
|
||||
|
||||
* Turn off verbose mode of rack-cache, we still have X-Rack-Cache to
|
||||
check that info. Closes #5245. *Santiago Pastorino*
|
||||
|
||||
* `label` form helper accepts :for => nil to not generate the attribute. *Carlos Antonio da Silva*
|
||||
|
||||
* Add `:format` option to number_to_percentage *Rodrigo Flores*
|
||||
@ -123,6 +126,8 @@
|
||||
|
||||
## Rails 3.2.3 (unreleased) ##
|
||||
|
||||
* Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value *DHH*
|
||||
|
||||
* Upgrade rack-cache to 1.2. *José Valim*
|
||||
|
||||
* ActionController::SessionManagement is removed. *Santiago Pastorino*
|
||||
|
@ -616,8 +616,15 @@ def html_options_for_form(url_for_options, options)
|
||||
# responsibility of the caller to escape all the values.
|
||||
html_options["action"] = url_for(url_for_options)
|
||||
html_options["accept-charset"] = "UTF-8"
|
||||
html_options["data-remote"] = true if html_options.delete("remote")
|
||||
html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
|
||||
|
||||
if html_options.delete("remote")
|
||||
html_options["data-remote"] = true
|
||||
|
||||
# The authenticity token is taken from the meta tag in this case
|
||||
html_options["authenticity_token"] = false
|
||||
else
|
||||
html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -35,6 +35,12 @@ def external_form_for
|
||||
def form_for_without_protection
|
||||
render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
|
||||
end
|
||||
|
||||
def form_for_remote
|
||||
render :inline => "<%= form_for(:some_resource, :remote => true ) {} %>"
|
||||
end
|
||||
|
||||
def rescue_action(e) raise e end
|
||||
end
|
||||
|
||||
# sample controllers
|
||||
@ -98,6 +104,13 @@ def test_should_render_button_to_with_token_tag
|
||||
assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token
|
||||
end
|
||||
|
||||
def test_should_render_form_without_token_tag_if_remote
|
||||
assert_not_blocked do
|
||||
get :form_for_remote
|
||||
end
|
||||
assert_no_match /authenticity_token/, response.body
|
||||
end
|
||||
|
||||
def test_should_allow_get
|
||||
assert_not_blocked { get :index }
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user