Navigation

Changeset 4644

Timestamp:

08/01/06 03:02:31 (2 years ago)

Author:

rick

Message:

Restrict Request Method hacking with ?_method to POST requests. [Rick Olson]

Files:

r4641	r4644
1	1	SVN
	2
	3	* Restrict Request Method hacking with ?_method to POST requests. [Rick Olson]
2	4
3	5	* Fix bug when passing multiple options to SimplyRestful, like :new => { :preview => :get, :draft => :get }. [Rick Olson, Josh Susser, Lars Pind]

r4637	r4644
16	16	# Returns the HTTP request method as a lowercase symbol (:get, for example)
17	17	def method
18		@request_method \|\|= (~~method = parameters[:_method] && method == :post~~) ?
19		~~method~~.to_s.downcase.to_sym :
	18	@request_method \|\|= (!parameters[:_method].blank? && @env['REQUEST_METHOD'] == 'POST') ?
	19	parameters[:_method].to_s.downcase.to_sym :
20	20	@env['REQUEST_METHOD'].downcase.to_sym
21	21	end

r3931	r4644
263	263	assert @request.ssl?
264	264	end
265
	265
	266	def test_symbolized_request_methods
	267	[:head, :get, :post, :put, :delete].each do \|method\|
	268	set_request_method_to method
	269	assert_equal method, @request.method
	270	end
	271	end
	272
	273	def test_allow_method_hacking_on_post
	274	set_request_method_to :post
	275	[:head, :get, :put, :delete].each do \|method\|
	276	@request.instance_eval { @parameters = { :_method => method } ; @request_method = nil }
	277	assert_equal method, @request.method
	278	end
	279	end
	280
	281	def test_restrict_method_hacking
	282	@request.instance_eval { @parameters = { :_method => 'put' } }
	283	[:head, :get, :put, :delete].each do \|method\|
	284	set_request_method_to method
	285	assert_equal method, @request.method
	286	end
	287	end
	288
	289	protected
	290	def set_request_method_to(method)
	291	@request.env['REQUEST_METHOD'] = method.to_s.upcase
	292	@request.instance_eval { @request_method = nil }
	293	end
266	294	end