Fixed that verification violations with no specified action didn't halt the...

Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8245 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Fixed that verification violations with no specified action didn't halt the...
Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8245 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
e03f13c5 · David Heinemeier Hansson · b6d25555 · e03f13c5 · e03f13c5 · e03f13c5
3 changed file
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
+*SVN*
+* Fixed that verification violations with no specified action didn't halt the chain (now they do with a 400 Bad Request) [DHH]
 *2.0.0 [RC2]* (November 28th, 2007)
 * Raise UnknownHttpMethod exception for unknown HTTP methods. Closes #10303 [tarmo]

--- a/actionpack/lib/action_controller/verification.rb
+++ b/actionpack/lib/action_controller/verification.rb
@@ -12,7 +12,8 @@ def self.included(base) #:nodoc:
    # parameters being set, or without certain session values existing.
    #
    # When a verification is violated, values may be inserted into the flash, and
-    # a specified redirection is triggered.
+    # a specified redirection is triggered. If no specific action is configured,
+    # verification failures will by default result in a 400 Bad Request response.
    #
    # Usage:
    #
@@ -81,7 +82,7 @@ def verify_action(options) #:nodoc:
      prereqs_invalid =
        [*options[:params] ].find { |v| params[v].nil?  } ||
        [*options[:session]].find { |v| session[v].nil? } ||
-        [*options[:flash]  ].find { |v| flash[v].nil?    }
+        [*options[:flash]  ].find { |v| flash[v].nil?   }
      if !prereqs_invalid && options[:method]
        prereqs_invalid ||= 
@@ -93,13 +94,21 @@ def verify_action(options) #:nodoc:
      if prereqs_invalid
        flash.update(options[:add_flash]) if options[:add_flash]
        response.headers.update(options[:add_headers]) if options[:add_headers]
        unless performed?
-          render(options[:render]) if options[:render]
+          case
-          options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a? Symbol
+          when options[:render]
-          redirect_to(options[:redirect_to]) if options[:redirect_to]
+            render(options[:render])
+          when options[:redirect_to]
+            options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a?(Symbol)
+            redirect_to(options[:redirect_to])
+          else
+            head(:bad_request)
+          end
        end
      end
    end
    private :verify_action
  end
 end
\ No newline at end of file
--- a/actionpack/test/controller/verification_test.rb
+++ b/actionpack/test/controller/verification_test.rb
@@ -37,6 +37,8 @@ class TestController < ActionController::Base
    verify :only => :guarded_one_for_named_route_test, :params => "one",
           :redirect_to => :foo_url
+    verify :only => :no_default_action, :params => "santa"
    def guarded_one
      render :text => "#{params[:one]}"
    end
@@ -89,6 +91,10 @@ def must_be_post
      render :text => "Was a post!"
    end
+    def no_default_action
+      # Will never run
+    end
    protected
      def rescue_action(e) raise end
@@ -229,6 +235,11 @@ def test_guarded_post_and_calls_render_succeeds
    assert_equal "Was a post!", @response.body
  end
+  def test_default_failure_should_be_a_bad_request
+    post :no_default_action
+    assert_response :bad_request
+  end
  def test_guarded_post_and_calls_render_fails_and_sets_allow_header
    get :must_be_post
    assert_response 405