1 require 'abstract_unit'
4 ActionController
::Routing::Routes.draw
do |map
|
5 map
.connect
':controller/:action/:id'
8 # common controller actions
9 module RequestForgeryProtectionActions
11 render
:inline => "<%= form_tag('/') {} %>"
15 render
:inline => "<%= button_to('New', '/') {} %>"
19 render
:inline => "<% form_remote_tag(:url => '/') {} %>"
26 def rescue_action(e
) raise e
end
30 class RequestForgeryProtectionController
< ActionController
::Base
31 include RequestForgeryProtectionActions
32 protect_from_forgery
:only => :index
35 class FreeCookieController
< RequestForgeryProtectionController
36 self.allow_forgery_protection
= false
39 render
:inline => "<%= form_tag('/') {} %>"
43 render
:inline => "<%= button_to('New', '/') {} %>"
49 module RequestForgeryProtectionTests
51 ActionController
::Base.request_forgery_protection_token
= nil
55 def test_should_render_form_with_token_tag
57 assert_select
'form>div>input[name=?][value=?]', 'authenticity_token', @token
60 def test_should_render_button_to_with_token_tag
62 assert_select
'form>div>input[name=?][value=?]', 'authenticity_token', @token
65 def test_should_render_remote_form_with_only_one_token_parameter
67 assert_equal
1, @response.body
.scan(@token).size
70 def test_should_allow_get
72 assert_response
:success
75 def test_should_allow_post_without_token_on_unsafe_action
77 assert_response
:success
80 def test_should_not_allow_html_post_without_token
81 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
82 assert_raise(ActionController
::InvalidAuthenticityToken) { post
:index, :format => :html }
85 def test_should_not_allow_html_put_without_token
86 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
87 assert_raise(ActionController
::InvalidAuthenticityToken) { put
:index, :format => :html }
90 def test_should_not_allow_html_delete_without_token
91 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
92 assert_raise(ActionController
::InvalidAuthenticityToken) { delete
:index, :format => :html }
95 def test_should_allow_api_formatted_post_without_token
96 assert_nothing_raised
do
97 post
:index, :format => 'xml'
101 def test_should_not_allow_api_formatted_put_without_token
102 assert_nothing_raised
do
103 put
:index, :format => 'xml'
107 def test_should_allow_api_formatted_delete_without_token
108 assert_nothing_raised
do
109 delete
:index, :format => 'xml'
113 def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
114 assert_raise(ActionController
::InvalidAuthenticityToken) do
115 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
116 post
:index, :format => 'xml'
120 def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
121 assert_raise(ActionController
::InvalidAuthenticityToken) do
122 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
123 put
:index, :format => 'xml'
127 def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
128 assert_raise(ActionController
::InvalidAuthenticityToken) do
129 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
130 delete
:index, :format => 'xml'
134 def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
135 assert_raise(ActionController
::InvalidAuthenticityToken) do
136 @request.env['CONTENT_TYPE'] = Mime
::MULTIPART_FORM.to_s
137 post
:index, :format => 'xml'
141 def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
142 assert_raise(ActionController
::InvalidAuthenticityToken) do
143 @request.env['CONTENT_TYPE'] = Mime
::MULTIPART_FORM.to_s
144 put
:index, :format => 'xml'
148 def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
149 assert_raise(ActionController
::InvalidAuthenticityToken) do
150 @request.env['CONTENT_TYPE'] = Mime
::MULTIPART_FORM.to_s
151 delete
:index, :format => 'xml'
155 def test_should_allow_xhr_post_without_token
156 assert_nothing_raised
{ xhr
:post, :index }
158 def test_should_not_allow_xhr_post_with_html_without_token
159 @request.env['CONTENT_TYPE'] = Mime
::URL_ENCODED_FORM.to_s
160 assert_raise(ActionController
::InvalidAuthenticityToken) { xhr
:post, :index }
163 def test_should_allow_xhr_put_without_token
164 assert_nothing_raised
{ xhr
:put, :index }
167 def test_should_allow_xhr_delete_without_token
168 assert_nothing_raised
{ xhr
:delete, :index }
171 def test_should_allow_post_with_token
172 post
:index, :authenticity_token => @token
173 assert_response
:success
176 def test_should_allow_put_with_token
177 put
:index, :authenticity_token => @token
178 assert_response
:success
181 def test_should_allow_delete_with_token
182 delete
:index, :authenticity_token => @token
183 assert_response
:success
186 def test_should_allow_post_with_xml
187 @request.env['CONTENT_TYPE'] = Mime
::XML.to_s
188 post
:index, :format => 'xml'
189 assert_response
:success
192 def test_should_allow_put_with_xml
193 @request.env['CONTENT_TYPE'] = Mime
::XML.to_s
194 put
:index, :format => 'xml'
195 assert_response
:success
198 def test_should_allow_delete_with_xml
199 @request.env['CONTENT_TYPE'] = Mime
::XML.to_s
200 delete
:index, :format => 'xml'
201 assert_response
:success
205 # OK let's get our test on
207 class RequestForgeryProtectionControllerTest
< ActionController
::TestCase
208 include RequestForgeryProtectionTests
210 @controller = RequestForgeryProtectionController
.new
211 @request = ActionController
::TestRequest.new
212 @request.format
= :html
213 @response = ActionController
::TestResponse.new
214 @token = "cf50faa3fe97702ca1ae"
216 ActiveSupport
::SecureRandom.stubs(:base64).returns(@token)
217 ActionController
::Base.request_forgery_protection_token
= :authenticity_token
221 class FreeCookieControllerTest
< ActionController
::TestCase
223 @controller = FreeCookieController
.new
224 @request = ActionController
::TestRequest.new
225 @response = ActionController
::TestResponse.new
226 @token = "cf50faa3fe97702ca1ae"
228 ActiveSupport
::SecureRandom.stubs(:base64).returns(@token)
231 def test_should_not_render_form_with_token_tag
233 assert_select
'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
236 def test_should_not_render_button_to_with_token_tag
238 assert_select
'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
241 def test_should_allow_all_methods_without_token
242 [:post, :put, :delete].each
do |method
|
243 assert_nothing_raised
{ send(method
, :index)}