Ticket #10059: updated_auto_complete_should_work_with_CSRF_and_be_testable_outside_a_project.patch

auto_complete/test/auto_complete_test.rb

@@ -1 @@
-
+
+
+
+
+
-
+$:.unshift File.dirname(__FILE__) + '/../lib'
+require "auto_complete"
+require "auto_complete_macros_helper"
+require File.dirname(__FILE__) + '/../init'
+
-class AutoCompleteTest < Test::Unit::TestCase
-  include AutoComplete
-  include AutoCompleteMacrosHelper
@@ -8 +17 @@
-  include ActionView::Helpers::TagHelper
-  include ActionView::Helpers::TextHelper
-  include ActionView::Helpers::FormHelper
-
+  
-  
-  def setup
+    @protect_against_forgery = false
-    @controller = Class.new do
-      def url_for(options)
-        url =  "http://www.example.com/"
@@ -41 +51 @@
-    assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nvar some_input_auto_completer = new Ajax.Autocompleter('some_input', 'some_input_auto_complete', 'http://www.example.com/autocomplete', {paramName:'huidriwusch'})\n//]]>\n</script>),
-      auto_complete_field("some_input", :url => { :action => "autocomplete" }, :param_name => 'huidriwusch');
-    assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nvar some_input_auto_completer = new Ajax.Autocompleter('some_input', 'some_input_auto_complete', 'http://www.example.com/autocomplete', {method:'get'})\n//]]>\n</script>),
-
+   
-  end
-  
+  def test_auto_complete_field_with_protect_against_forgery
+    @protect_against_forgery = true
+    assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nvar some_input_auto_completer = new Ajax.Autocompleter('some_input', 'some_input_auto_complete', 'http://www.example.com/autocomplete', {parameters:'authenticity_token=' + encodeURIComponent('some_secret_hash')})\n//]]>\n</script>),
+      auto_complete_field("some_input", :url => { :action => "autocomplete" });
+  end
+  
-  def test_auto_complete_result
-    result = [ { :title => 'test1'  }, { :title => 'test2'  } ]
-    assert_equal %(<ul><li>test1</li><li>test2</li></ul>), 
@@ -64 +80 @@
-      text_field_with_auto_complete(:message, :recipient, {}, :skip_style => true)
-  end
-  
+  def test_text_field_with_auto_complete_and_protect_against_forgery
+    @protect_against_forgery = true
+    assert_dom_equal %(<input id=\"message_recipient\" name=\"message[recipient]\" size=\"30\" type=\"text\" /><div class=\"auto_complete\" id=\"message_recipient_auto_complete\"></div><script type=\"text/javascript\">\n//<![CDATA[\nvar message_recipient_auto_completer = new Ajax.Autocompleter('message_recipient', 'message_recipient_auto_complete', 'http://www.example.com/auto_complete_for_message_recipient', {parameters:'authenticity_token=' + encodeURIComponent('some_secret_hash')})\n//]]>\n</script>),
+      text_field_with_auto_complete(:message, :recipient, {}, :skip_style => true)    
+  end
+    
+  # stubbed CSRF-related methods for testing
+  def protect_against_forgery?
+    @protect_against_forgery # so we can turn it on and off for tests
+  end
+  
+  def request_forgery_protection_token
+    :authenticity_token
+  end
+  
+  def form_authenticity_token
+    "some_secret_hash"
+  end
+  
-end

auto_complete/lib/auto_complete_macros_helper.rb

@@ -70 +70 @@
-    js_options[:frequency]  = "#{options[:frequency]}" if options[:frequency]
-    js_options[:method]     = "'#{options[:method].to_s}'" if options[:method]
-
+    if protect_against_forgery? && js_options[:method] != "'get'"
+      js_options[:parameters] = "'#{request_forgery_protection_token}=' + encodeURIComponent('#{escape_javascript form_authenticity_token}')"
+    end
+
-    { :after_update_element => :afterUpdateElement, 
-      :on_show => :onShow, :on_hide => :onHide, :min_chars => :minChars }.each do |k,v|
-      js_options[v] = options[k] if options[k]