put authenticity_token option in parity w/ remote

[#6228 state:committed] Signed-off-by: N Santiago Pastorino <santiago@wyeworks.com>

put authenticity_token option in parity w/ remote
[#6228 state:committed] Signed-off-by: N Santiago Pastorino <santiago@wyeworks.com>
3026843d · Dan Pickett · Santiago Pastorino · a3f5d715 · 3026843d · 3026843d
2 changed file
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -304,16 +304,15 @@ module FormHelper
      # When you build forms to external resources sometimes you need to set an authenticity token or just render a form
      # without it, for example when you submit data to a payment gateway number and types of fields could be limited.
      #
-      # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter in the <tt>:html</tt>
-      # options section:
+      # To set an authenticity token you need to pass an <tt>:authenticity_token</tt> parameter
      #
-      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f|
+      #   <%= form_for @invoice, :url => external_url, :authenticity_token => 'external_token' do |f|
      #     ...
      #   <% end %>
      #
      # If you don't want to an authenticity token field be rendered at all just pass <tt>false</tt>:
      #
-      #   <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f|
+      #   <%= form_for @invoice, :url => external_url, :authenticity_token => false do |f|
      #     ...
      #   <% end %>
      def form_for(record, options = {}, &proc)
@@ -332,6 +331,8 @@ def form_for(record, options = {}, &proc)
        end

        options[:html][:remote] = options.delete(:remote)
+        options[:html][:authenticity_token] = options.delete(:authenticity_token)
+        
        builder = options[:parent_builder] = instantiate_builder(object_name, object, options, &proc)
        fields_for = fields_for(object_name, object, options, &proc)
        default_options = builder.multipart? ? { :multipart => true } : {}

--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -29,11 +29,11 @@ def meta
  end

  def external_form_for
-    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>"
+    render :inline => "<%= form_for(:some_resource, :authenticity_token => 'external_token') {} %>"
  end

  def form_for_without_protection
-    render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>"
+    render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
  end

  def rescue_action(e) raise e end