Move request forgery protection configuration to the AC config object

This is an interim solution pending revisiting the rails framework configuration situation.

Move request forgery protection configuration to the AC config object
This is an interim solution pending revisiting the rails framework configuration situation.
01f0e476 · Carl Lerche · 0045f376 · 01f0e476 · 01f0e476
2 changed file
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -12,11 +12,10 @@ module RequestForgeryProtection
    included do
      # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
      # sets it to <tt>:authenticity_token</tt> by default.
-      cattr_accessor :request_forgery_protection_token
+      config.request_forgery_protection_token ||= true

      # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
-      class_attribute :allow_forgery_protection
-      self.allow_forgery_protection = true
+      config.allow_forgery_protection ||= true

      helper_method :form_authenticity_token
      helper_method :protect_against_forgery?
@@ -80,9 +79,47 @@ def protect_from_forgery(options = {})
        self.request_forgery_protection_token ||= :authenticity_token
        before_filter :verify_authenticity_token, options
      end
+
+      def request_forgery_protection_token
+        config.request_forgery_protection_token
+      end
+
+      def request_forgery_protection_token=(val)
+        config.request_forgery_protection_token = val
+      end
+
+      def allow_forgery_protection
+        config.allow_forgery_protection
+      end
+
+      def allow_forgery_protection=(val)
+        config.allow_forgery_protection = val
+      end
    end

    protected
+
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_filter :verify_authenticity_token, options
+      end
+
+      def request_forgery_protection_token
+        config.request_forgery_protection_token
+      end
+
+      def request_forgery_protection_token=(val)
+        config.request_forgery_protection_token = val
+      end
+
+      def allow_forgery_protection
+        config.allow_forgery_protection
+      end
+
+      def allow_forgery_protection=(val)
+        config.allow_forgery_protection = val
+      end
+
      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
      def verify_authenticity_token
        verified_request? || raise(ActionController::InvalidAuthenticityToken)
@@ -109,7 +146,7 @@ def form_authenticity_param
      end

      def protect_against_forgery?
-        self.class.allow_forgery_protection
+        config.allow_forgery_protection
      end
  end
 end
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -46,10 +46,11 @@ class Railtie < Rails::Railtie
    initializer "action_controller.set_configs" do |app|
      paths = app.config.paths
      ac = app.config.action_controller
-      ac.assets_dir = paths.public.to_a.first
+
+      ac.assets_dir      = paths.public.to_a.first
      ac.javascripts_dir = paths.public.javascripts.to_a.first
      ac.stylesheets_dir = paths.public.stylesheets.to_a.first
-      ac.secret = app.config.cookie_secret
+      ac.secret          = app.config.cookie_secret

      ActionController.base_hook { self.config.replace(ac) }
    end