From 94a4189977336f41659963c29fee487b01d8a23e Mon Sep 17 00:00:00 2001 From: Robin Lu Date: Mon, 7 Jul 2008 00:47:40 +0800 Subject: [PATCH] Make protect_from_forgery class-wise. protect_from_forgery is not quite class-wise currently. When one controller declares protect_from_forgery, protect_against_forgery? of every controller returns true even for controllers without protect_from_forgery. This causes the inconsistency of forgery verification and code generation of helpers. The controller without verify_authenticity_token filter still needs a :secret to generate the token for helpers like link_to_remote. This patch means to make protect_from_forgery more class-wise without breaking default behavior of the protection. You can still declare protect_from_forgery in ApplicationController to enable all or you can make it controller by controller without affecting other controllers. --- actionpack/lib/action_controller/base.rb | 4 ++-- .../request_forgery_protection.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index 58eb5ca..1e71bd1 100755 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -334,15 +334,15 @@ module ActionController #:nodoc: # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+ # sets it to :authenticity_token by default. cattr_accessor :request_forgery_protection_token + self.request_forgery_protection_token = :authenticity_token # Indicates whether or not optimise the generated named # route helper methods cattr_accessor :optimise_named_routes self.optimise_named_routes = true - # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode. + # Controls whether request forgergy protection is turned on or not. Turned on when protect_from_forgery is declared. class_inheritable_accessor :allow_forgery_protection - self.allow_forgery_protection = true # Holds the request object that's primarily used to get environment variables through access like # request.env["REQUEST_URI"]. diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 02c9d59..0fcc0fa 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -74,7 +74,7 @@ module ActionController #:nodoc: # Leave this off if you are using the cookie session store. # * :digest - Message digest used for hashing. Defaults to 'SHA1'. def protect_from_forgery(options = {}) - self.request_forgery_protection_token ||= :authenticity_token + self.allow_forgery_protection = true before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except) request_forgery_protection_options.update(options) end @@ -134,7 +134,7 @@ module ActionController #:nodoc: end def protect_against_forgery? - allow_forgery_protection && request_forgery_protection_token + allow_forgery_protection end end end -- 1.5.5.3