From db13c2a5bb55756f4c231b10ce7f306d57ba972b Mon Sep 17 00:00:00 2001 From: Denis Odorcic Date: Thu, 18 Mar 2010 22:28:25 -0400 Subject: [PATCH] Fix protect_from_forgery/csrf_meta_tag. allow_forgery_protection wasnt being set correctly --- .../metal/request_forgery_protection.rb | 68 ++++++------------- 1 files changed, 22 insertions(+), 46 deletions(-) diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 39a8096..ab39f0e 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -8,15 +8,30 @@ module ActionController #:nodoc: extend ActiveSupport::Concern include AbstractController::Helpers + + module ConfigMethods + def request_forgery_protection_token + config.request_forgery_protection_token || :authenticity_token + end - included do - # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+ - # sets it to :authenticity_token by default. - config.request_forgery_protection_token ||= :authenticity_token + def request_forgery_protection_token=(val) + config.request_forgery_protection_token = val + end - # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode. - config.allow_forgery_protection ||= true + def allow_forgery_protection + config.allow_forgery_protection.nil? ? true : config.allow_forgery_protection + end + def allow_forgery_protection=(val) + config.allow_forgery_protection = val + end + end + + include ConfigMethods + + included do + extend ConfigMethods + helper_method :form_authenticity_token helper_method :protect_against_forgery? end @@ -76,50 +91,11 @@ module ActionController #:nodoc: # # * :only/:except - Passed to the before_filter call. Set which actions are verified. def protect_from_forgery(options = {}) - self.request_forgery_protection_token ||= :authenticity_token before_filter :verify_authenticity_token, options end - - def request_forgery_protection_token - config.request_forgery_protection_token - end - - def request_forgery_protection_token=(val) - config.request_forgery_protection_token = val - end - - def allow_forgery_protection - config.allow_forgery_protection - end - - def allow_forgery_protection=(val) - config.allow_forgery_protection = val - end end protected - - def protect_from_forgery(options = {}) - self.request_forgery_protection_token ||= :authenticity_token - before_filter :verify_authenticity_token, options - end - - def request_forgery_protection_token - config.request_forgery_protection_token - end - - def request_forgery_protection_token=(val) - config.request_forgery_protection_token = val - end - - def allow_forgery_protection - config.allow_forgery_protection - end - - def allow_forgery_protection=(val) - config.allow_forgery_protection = val - end - # The actual before_filter that is used. Modify this to change how you handle unverified requests. def verify_authenticity_token verified_request? || raise(ActionController::InvalidAuthenticityToken) @@ -146,7 +122,7 @@ module ActionController #:nodoc: end def protect_against_forgery? - config.allow_forgery_protection + allow_forgery_protection end end end -- 1.6.0.6