3 module ActionView::Helpers
5 def tag_with_security_token(name, *args)
6 if name.to_sym == :form && @form_tag_add_security_token
7 tag_without_security_token(name, *args) + hidden_field_tag("session_token", session_token)
9 tag_without_security_token(name, *args)
13 alias_method_chain :tag, :security_token
17 def form_tag_with_security_token(url_for_options = {}, options = {}, *parameters_for_url, &proc)
18 if (options[:method].nil? || /^post$/i =~ options[:method].to_s) && false != options.delete(:security_token)
20 @form_tag_add_security_token = true
21 form_tag_without_security_token(url_for_options, options, *parameters_for_url, &proc)
23 @form_tag_add_security_token = nil
26 form_tag_without_security_token(url_for_options, options, *parameters_for_url, &proc)
30 alias_method_chain :form_tag, :security_token
31 alias_method :start_form_tag, :form_tag
35 module ActionView::Helpers::UrlHelper
36 def method_javascript_function_with_session_token(method, url='', href=nil)
37 f = method_javascript_function_without_session_token(method, url='', href=nil)
38 if method.to_sym == :post
39 token_func = "var t = document.createElement('input'); t.type='hidden'; t.name='session_token'; t.value='#{session_token}'; "
40 f.sub!(/f.submit\(\)/, 'f.appendChild(t); \&') || raise("substitution failed")
48 alias_method_chain :method_javascript_function, :session_token
50 def button_to_with_session_token(*args)
51 button_to_without_session_token(*args).sub(/<\/form>$/,
52 "#{hidden_field_tag('session_token', session_token)}</form>")
55 alias_method_chain :button_to, :session_token
58 class ActionController::Base
60 session[:session_token] ||= Digest::MD5.hexdigest("#{session.session_id}#{rand}")
63 def verify_session_token
66 !(::ActionController.const_defined?("TestRequest") && request.is_a?(::ActionController::TestRequest))
67 if session_token == params["session_token"]
70 render :text => 'errors/forbidden', :status => 403, :layout => false
77 helper_method :session_token