Changeset 8626

Timestamp:

01/11/08 16:25:23 (6 months ago)

Author:

david

Message:

Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used (closes #10739) [jeremyevans]

Files:

• trunk/actionpack/CHANGELOG (modified) (1 diff)
• trunk/actionpack/lib/action_view/helpers/active_record_helper.rb (modified) (2 diffs)
• trunk/actionpack/test/template/active_record_helper_test.rb (modified) (2 diffs)

trunk/actionpack/CHANGELOG

@@ -1 +1 @@
-*SVN*
+
+* Fixed ActionView::Helpers::ActiveRecordHelper::form for when protect_from_forgery is used #10739 [jeremyevans]
-
-* Provide nicer access to HTTP Headers.  Instead of request.env["HTTP_REFERRER"] you can now use request.headers["Referrer"]. [Koz]

trunk/actionpack/lib/action_view/helpers/active_record_helper.rb

@@ -57 +57 @@
-      #     form << collection_select("department", "id", @departments, "id", "name")
-      #   end
+      #
+      # The following options are available:
+      #
+      # * <tt>action</tt> - the action used when submitting the form (default: create if a new record, otherwise update)
+      # * <tt>input_block</tt> - specialize the output using a different block, see above
+      # * <tt>method</tt> - the method used when submitting the form (default: post)
+      # * <tt>multipart</tt> - whether to change the enctype of the form to multipart/form-date, used when uploading a file (default: false)
+      # * <tt>submit_value</tt> - the text of the submit button (default: Create if a new record, otherwise Update)
-      def form(record_name, options = {})
-        record = instance_variable_get("@#{record_name}")
@@ -66 +74 @@
-        submit_value = options[:submit_value] || options[:action].gsub(/[^\w]/, '').capitalize
-
-''
+form_tag({:action => action}, :method =>(options[:method] || 'post'), :enctype => options[:multipart] ? 'multipart/form-data': nil)
-        contents << hidden_field(record_name, :id) unless record.new_record?
-        contents << all_input_tags(record, record_name, options)
-        yield contents if block_given?
-        contents << submit_tag(submit_value)
-
-
+
-      end
-

trunk/actionpack/test/template/active_record_helper_test.rb

@@ -87 +87 @@
-    @user.email = ""
-  end
+  
+  def protect_against_forgery?
+    @protect_against_forgery ? true : false
+  end
+  attr_accessor :request_forgery_protection_token, :form_authenticity_token
-
-  def setup
@@ -141 +146 @@
-    )
-  end
+  
+  def test_form_with_protect_against_forgery
+    @protect_against_forgery = true
+    @request_forgery_protection_token = 'authenticity_token'
+    @form_authenticity_token = '123'
+    assert_dom_equal(
+      %(<form action="create" method="post"><div style='margin:0;padding:0'><input type='hidden' name='authenticity_token' value='123' /></div><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>),
+      form("post")
+    )
+  end
+  
+  def test_form_with_method_option
+    assert_dom_equal(
+      %(<form action="create" method="get"><p><label for="post_title">Title</label><br /><input id="post_title" name="post[title]" size="30" type="text" value="Hello World" /></p>\n<p><label for="post_body">Body</label><br /><div class="fieldWithErrors"><textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea></div></p><input name="commit" type="submit" value="Create" /></form>),
+      form("post", :method=>'get')
+    )
+  end
-
-  def test_form_with_action_option