From ad2fe4a5d36004927f42699e5a2fca7ba1cb6744 Mon Sep 17 00:00:00 2001 From: Timothy N. Tsvetkov Date: Mon, 27 Dec 2010 19:06:02 +0300 Subject: [PATCH] disable_authenticity_token option was added to the form helper. So now we can generate forms without authenticity_token tag. It is useful when we generate forms for some external resources like payments and billings where names of fields are often restricted so forms with authenticity_token are not valid. --- actionpack/lib/action_view/helpers/form_helper.rb | 1 + .../lib/action_view/helpers/form_tag_helper.rb | 5 +++-- .../controller/request_forgery_protection_test.rb | 9 +++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb index 6f0e2c9..f2e9db1 100644 --- a/actionpack/lib/action_view/helpers/form_helper.rb +++ b/actionpack/lib/action_view/helpers/form_helper.rb @@ -314,6 +314,7 @@ module ActionView end options[:html][:remote] = options.delete(:remote) + options[:html][:disable_authenticity_token] = options.delete(:disable_authenticity_token) || false builder = options[:parent_builder] = instantiate_builder(object_name, object, options, &proc) fields_for = fields_for(object_name, object, options, &proc) default_options = builder.multipart? ? { :multipart => true } : {} diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index 9500e85..b24e161 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -549,10 +549,10 @@ module ActionView '' when /^post$/i, "", nil html_options["method"] = "post" - token_tag + html_options["disable_authenticity_token"] ? '' : token_tag else html_options["method"] = "post" - tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag + tag(:input, :type => "hidden", :name => "_method", :value => method) + (html_options["disable_authenticity_token"] ? token_tag : '') end tags = snowman_tag << method_tag @@ -561,6 +561,7 @@ module ActionView def form_tag_html(html_options) extra_tags = extra_tags_for_form(html_options) + html_options.delete("disable_authenticity_token") (tag(:form, html_options, true) + extra_tags).html_safe end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 2c9aa61..7d8de46 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -20,6 +20,10 @@ module RequestForgeryProtectionActions render :inline => "<%= csrf_meta_tags %>" end + def form_without_token + render :inline => "<%= form_tag('/', :disable_authenticity_token => true) %>" + end + def rescue_action(e) raise e end end @@ -60,6 +64,11 @@ module RequestForgeryProtectionTests assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end + def test_should_render_form_without_token_tag_with_form_without_token_option + get :form_without_token + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false + end + def test_should_render_button_to_with_token_tag get :show_button assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token -- 1.7.1