From e39eae8dbf66308a2129ec0300b6e7105d726c6a Mon Sep 17 00:00:00 2001
From: Dan Pickett <dpickett@enlightsolutions.com>
Date: Sun, 6 Feb 2011 11:19:02 -0500
Subject: [PATCH] put authenticity_token option in parity w/ remote

[#6228]
---
 actionpack/lib/action_view/helpers/form_helper.rb  |    9 +++++----
 .../controller/request_forgery_protection_test.rb  |    4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 408a3b6..d30fd24 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -304,16 +304,15 @@ module ActionView
       # When you build forms to external resources sometimes you need to set an authenticity token or just render a form
       # without it, for example when you submit data to a payment gateway number and types of fields could be limited.
       #
-      # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter in the <tt>:html</tt>
-      # options section:
+      # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter
       #
-      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f|
+      #   <%= form_for @invoice, :url => external_url, :authenticity_token => 'external_token' do |f|
       #     ...
       #   <% end %>
       #
       # If you don't want to an authenticity token field be rendered at all just pass <tt>false</tt>:
       #
-      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f|
+      #   <%= form_for @invoice, :url => external_url, :authenticity_token => false do |f|
       #     ...
       #   <% end %>
       def form_for(record, options = {}, &proc)
@@ -332,6 +331,8 @@ module ActionView
         end
 
         options[:html][:remote] = options.delete(:remote)
+        options[:html][:authenticity_token] = options.delete(:authenticity_token)
+        
         builder = options[:parent_builder] = instantiate_builder(object_name, object, options, &proc)
         fields_for = fields_for(object_name, object, options, &proc)
         default_options = builder.multipart? ? { :multipart => true } : {}
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 4f4de0c..68d4c6a 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -29,11 +29,11 @@ module RequestForgeryProtectionActions
   end
 
   def external_form_for
-    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>"
+    render :inline => "<%= form_for(:some_resource, :authenticity_token => 'external_token') {} %>"
   end
 
   def form_for_without_protection
-    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>"
+    render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
   end
 
   def rescue_action(e) raise e end
-- 
1.7.1.1