From e03f13c5538e38b501014fd5702309bcd7e16cbb Mon Sep 17 00:00:00 2001 From: David Heinemeier Hansson Date: Fri, 30 Nov 2007 21:04:57 +0000 Subject: [PATCH] Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8245 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- actionpack/CHANGELOG | 5 +++++ .../lib/action_controller/verification.rb | 21 +++++++++++++------ .../test/controller/verification_test.rb | 11 ++++++++++ 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 0155731943..04e212f7dc 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,3 +1,8 @@ +*SVN* + +* Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH] + + *2.0.0 [RC2]* (November 28th, 2007) * Raise UnknownHttpMethod exception for unknown HTTP methods. Closes #10303 [tarmo] diff --git a/actionpack/lib/action_controller/verification.rb b/actionpack/lib/action_controller/verification.rb index 8550f24526..e5045fba7c 100644 --- a/actionpack/lib/action_controller/verification.rb +++ b/actionpack/lib/action_controller/verification.rb @@ -12,7 +12,8 @@ def self.included(base) #:nodoc: # parameters being set, or without certain session values existing. # # When a verification is violated, values may be inserted into the flash, and - # a specified redirection is triggered. + # a specified redirection is triggered. If no specific action is configured, + # verification failures will by default result in a 400 Bad Request response. # # Usage: # @@ -81,7 +82,7 @@ def verify_action(options) #:nodoc: prereqs_invalid = [*options[:params] ].find { |v| params[v].nil? } || [*options[:session]].find { |v| session[v].nil? } || - [*options[:flash] ].find { |v| flash[v].nil? } + [*options[:flash] ].find { |v| flash[v].nil? } if !prereqs_invalid && options[:method] prereqs_invalid ||= @@ -93,13 +94,21 @@ def verify_action(options) #:nodoc: if prereqs_invalid flash.update(options[:add_flash]) if options[:add_flash] response.headers.update(options[:add_headers]) if options[:add_headers] + unless performed? - render(options[:render]) if options[:render] - options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a? Symbol - redirect_to(options[:redirect_to]) if options[:redirect_to] + case + when options[:render] + render(options[:render]) + when options[:redirect_to] + options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a?(Symbol) + redirect_to(options[:redirect_to]) + else + head(:bad_request) + end end end end + private :verify_action end -end +end \ No newline at end of file diff --git a/actionpack/test/controller/verification_test.rb b/actionpack/test/controller/verification_test.rb index bbcd7d59d8..e61bd5cccb 100644 --- a/actionpack/test/controller/verification_test.rb +++ b/actionpack/test/controller/verification_test.rb @@ -37,6 +37,8 @@ class TestController < ActionController::Base verify :only => :guarded_one_for_named_route_test, :params => "one", :redirect_to => :foo_url + verify :only => :no_default_action, :params => "santa" + def guarded_one render :text => "#{params[:one]}" end @@ -89,6 +91,10 @@ def must_be_post render :text => "Was a post!" end + def no_default_action + # Will never run + end + protected def rescue_action(e) raise end @@ -229,6 +235,11 @@ def test_guarded_post_and_calls_render_succeeds assert_equal "Was a post!", @response.body end + def test_default_failure_should_be_a_bad_request + post :no_default_action + assert_response :bad_request + end + def test_guarded_post_and_calls_render_fails_and_sets_allow_header get :must_be_post assert_response 405 -- GitLab