diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 408a3b67216057acb4df3da816cce05a05483d8c..d30fd248c19beea8ef73c55be257c329623a0b18 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -304,16 +304,15 @@ module FormHelper
# When you build forms to external resources sometimes you need to set an authenticity token or just render a form
# without it, for example when you submit data to a payment gateway number and types of fields could be limited.
#
- # To set an authenticity token you need to pass an :authenticity_token parameter in the :html
- # options section:
+ # To set an authenticity token you need to pass an :authenticity_token parameter
#
- # <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => 'external_token' } do |f|
+ # <%= form_for @invoice, :url => external_url, :authenticity_token => 'external_token' do |f|
# ...
# <% end %>
#
# If you don't want to an authenticity token field be rendered at all just pass false:
#
- # <%= form_for @invoice, :url => external_url, :html => { :authenticity_token => false } do |f|
+ # <%= form_for @invoice, :url => external_url, :authenticity_token => false do |f|
# ...
# <% end %>
def form_for(record, options = {}, &proc)
@@ -332,6 +331,8 @@ def form_for(record, options = {}, &proc)
end
options[:html][:remote] = options.delete(:remote)
+ options[:html][:authenticity_token] = options.delete(:authenticity_token)
+
builder = options[:parent_builder] = instantiate_builder(object_name, object, options, &proc)
fields_for = fields_for(object_name, object, options, &proc)
default_options = builder.multipart? ? { :multipart => true } : {}
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 4f4de0cbee1377a9a7e9224b7f6deba592539cfa..68d4c6a57c8a761f7011fe5d26d3d5302f4a5723 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -29,11 +29,11 @@ def meta
end
def external_form_for
- render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => 'external_token' }) {} %>"
+ render :inline => "<%= form_for(:some_resource, :authenticity_token => 'external_token') {} %>"
end
def form_for_without_protection
- render :inline => "<%= form_for(:some_resource, :html => { :authenticity_token => false }) {} %>"
+ render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
end
def rescue_action(e) raise e end