actionpack 1.13.6 → 2.0.0

data/test/controller/render_test.rb

@@ -1,8 +1,5 @@
 require File.dirname(__FILE__) + '/../abstract_unit'
-
-unless defined?(Customer)
-  Customer = Struct.new("Customer", :name)
-end
+require File.dirname(__FILE__) + '/fake_models'
 
 module Fun
   class GamesController < ActionController::Base
@@ -19,32 +16,32 @@ class TestController < ActionController::Base
   end
 
   def render_hello_world
-    render "test/hello_world"
+    render :template => "test/hello_world"
   end
 
   def render_hello_world_from_variable
     @person = "david"
-    render_text "hello #{@person}"
+    render :text => "hello #{@person}"
   end
 
   def render_action_hello_world
-    render_action "hello_world"
+    render :action => "hello_world"
   end
 
   def render_action_hello_world_with_symbol
-    render_action :hello_world
+    render :action => :hello_world
   end
 
   def render_text_hello_world
-    render_text "hello world"
+    render :text => "hello world"
   end
 
   def render_json_hello_world
-    render_json({:hello => 'world'}.to_json)
+    render :json => {:hello => 'world'}.to_json
   end
 
   def render_json_hello_world_with_callback
-    render_json({:hello => 'world'}.to_json, 'alert')
+    render :json => {:hello => 'world'}.to_json, :callback => 'alert'
   end
 
   def render_symbol_json
@@ -52,21 +49,24 @@ class TestController < ActionController::Base
   end
 
   def render_custom_code
-    render_text "hello world", "404 Moved"
-  end
-
-  def render_text_appendix
-    render_text "hello world"
-    render_text ", goodbye!", "404 Not Found", true
+    render :text => "hello world", :status => 404
   end
 
   def render_nothing_with_appendix
-    render_text "appended", nil, true
+    render :text => "appended"
+  end
+  
+  def render_invalid_args
+    render("test/hello")
   end
 
   def render_xml_hello
     @name = "David"
-    render "test/hello"
+    render :template => "test/hello"
+  end
+
+  def heading
+    head :ok
   end
 
   def greeting
@@ -74,34 +74,34 @@ class TestController < ActionController::Base
   end
 
   def layout_test
-    render_action "hello_world"
+    render :action => "hello_world"
   end
 
   def builder_layout_test
-    render_action "hello"
+    render :action => "hello"
   end
 
   def builder_partial_test
-    render_action "hello_world_container"
+    render :action => "hello_world_container"
   end
 
   def partials_list
     @test_unchanged = 'hello'
     @customers = [ Customer.new("david"), Customer.new("mary") ]
-    render_action "list"
+    render :action => "list"
   end
 
   def partial_only
-    render_partial
+    render :partial => true
   end
 
   def hello_in_a_string
     @customers = [ Customer.new("david"), Customer.new("mary") ]
-    render_text "How's there? #{render_to_string("test/list")}"
+    render :text => "How's there? " + render_to_string(:template => "test/list")
   end
 
   def accessing_params_in_template
-    render_template "Hello: <%= params[:name] %>"
+    render :inline => "Hello: <%= params[:name] %>"
   end
 
   def accessing_local_assigns_in_inline_template
@@ -118,24 +118,71 @@ class TestController < ActionController::Base
     ActionView::Base.local_assigns_support_string_keys = false
   end
 
+  def formatted_html_erb
+  end
+
+  def formatted_xml_erb
+  end
+
   def render_to_string_test
     @foo = render_to_string :inline => "this is a test"
   end
 
+  def partial
+    render :partial => 'partial'
+  end
+
+  def partial_dot_html
+    render :partial => 'partial.html.erb'
+  end
+  
+  def partial_as_rjs
+    render :update do |page|
+      page.replace :foo, :partial => 'partial'
+    end
+  end
+
+  def respond_to_partial_as_rjs
+    respond_to do |format|
+      format.js do
+        render :update do |page|
+          page.replace :foo, :partial => 'partial'
+        end
+      end
+    end
+  end
+
+  def default_render
+    if @alternate_default_render
+      @alternate_default_render.call
+    else
+      render
+    end
+  end
+
+  def render_alternate_default
+    # For this test, the method "default_render" is overridden:
+    @alternate_default_render = lambda {
+	render :update do |page|
+	  page.replace :foo, :partial => 'partial'
+	end
+      }
+  end
+
   def rescue_action(e) raise end
 
   private
     def determine_layout
       case action_name
-        when "layout_test":         "layouts/standard"
-        when "builder_layout_test": "layouts/builder"
-        when "render_symbol_json":  "layouts/standard"  # to make sure layouts don't interfere
+        when "layout_test";         "layouts/standard"
+        when "builder_layout_test"; "layouts/builder"
+        when "render_symbol_json";  "layouts/standard"  # to make sure layouts don't interfere
       end
     end
 end
 
-TestController.template_root = File.dirname(__FILE__) + "/../fixtures/"
-Fun::GamesController.template_root = File.dirname(__FILE__) + "/../fixtures/"
+TestController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ]
+Fun::GamesController.view_paths = [ File.dirname(__FILE__) + "/../fixtures/" ]
 
 class RenderTest < Test::Unit::TestCase
   def setup
@@ -153,7 +200,7 @@ class RenderTest < Test::Unit::TestCase
   end
 
   def test_do_with_render
-    assert_deprecated_render { get :render_hello_world }
+    get :render_hello_world
     assert_template "test/hello_world"
   end
 
@@ -179,31 +226,26 @@ class RenderTest < Test::Unit::TestCase
 
   def test_do_with_render_json
     get :render_json_hello_world
-    assert_equal '{hello: "world"}', @response.body
+    assert_equal '{"hello": "world"}', @response.body
     assert_equal 'application/json', @response.content_type
   end
 
   def test_do_with_render_json_with_callback
     get :render_json_hello_world_with_callback
-    assert_equal 'alert({hello: "world"})', @response.body
+    assert_equal 'alert({"hello": "world"})', @response.body
     assert_equal 'application/json', @response.content_type
   end
 
   def test_do_with_render_symbol_json
     get :render_symbol_json
-    assert_equal '{hello: "world"}', @response.body
+    assert_equal '{"hello": "world"}', @response.body
     assert_equal 'application/json', @response.content_type
   end
 
   def test_do_with_render_custom_code
     get :render_custom_code
     assert_response 404
-  end
-
-  def test_do_with_render_text_appendix
-    get :render_text_appendix
-    assert_response 404
-    assert_equal 'hello world, goodbye!', @response.body
+    assert_equal 'hello world', @response.body
   end
 
   def test_do_with_render_nothing_with_appendix
@@ -211,7 +253,11 @@ class RenderTest < Test::Unit::TestCase
     assert_response 200
     assert_equal 'appended', @response.body
   end
-
+  
+  def test_attempt_to_render_with_invalid_arguments
+    assert_raises(ActionController::RenderError) { get :render_invalid_args }
+  end
+  
   def test_attempt_to_access_object_method
     assert_raises(ActionController::UnknownAction, "No action responded to [clone]") { get :clone }
   end
@@ -221,7 +267,7 @@ class RenderTest < Test::Unit::TestCase
   end
 
   def test_render_xml
-    assert_deprecated_render { get :render_xml_hello }
+    get :render_xml_hello
     assert_equal "<html>\n  <p>Hello David</p>\n<p>This is grand!</p>\n</html>\n", @response.body
   end
 
@@ -286,8 +332,112 @@ class RenderTest < Test::Unit::TestCase
     assert_equal "Goodbye, Local David", @response.body
   end
 
+  def test_render_200_should_set_etag
+    get :render_hello_world_from_variable
+    assert_equal etag_for("hello david"), @response.headers['ETag']
+    assert_equal "private, max-age=0, must-revalidate", @response.headers['Cache-Control']
+  end
+
+  def test_render_against_etag_request_should_304_when_match
+    @request.headers["HTTP_IF_NONE_MATCH"] = etag_for("hello david")
+    get :render_hello_world_from_variable
+    assert_equal "304 Not Modified", @response.headers['Status']
+    assert @response.body.empty?
+  end
+
+  def test_render_against_etag_request_should_200_when_no_match
+    @request.headers["HTTP_IF_NONE_MATCH"] = etag_for("hello somewhere else")
+    get :render_hello_world_from_variable
+    assert_equal "200 OK", @response.headers['Status']
+    assert !@response.body.empty?
+  end
+
+  def test_render_with_etag
+    get :render_hello_world_from_variable
+    expected_etag = etag_for('hello david')
+    assert_equal expected_etag, @response.headers['ETag']
+
+    @request.headers["HTTP_IF_NONE_MATCH"] = expected_etag
+    get :render_hello_world_from_variable
+    assert_equal "304 Not Modified", @response.headers['Status']
+
+    @request.headers["HTTP_IF_NONE_MATCH"] = "\"diftag\""
+    get :render_hello_world_from_variable
+    assert_equal "200 OK", @response.headers['Status']
+  end
+
+  def render_with_404_shouldnt_have_etag
+    get :render_custom_code
+    assert_nil @response.headers['ETag']
+  end
+
+  def test_etag_should_not_be_changed_when_already_set
+    expected_etag = etag_for("hello somewhere else")
+    @response.headers["ETag"] = expected_etag
+    get :render_hello_world_from_variable
+    assert_equal expected_etag, @response.headers['ETag']
+  end
+
+  def test_etag_should_govern_renders_with_layouts_too
+    get :builder_layout_test
+    assert_equal "<wrapper>\n<html>\n  <p>Hello </p>\n<p>This is grand!</p>\n</html>\n</wrapper>\n", @response.body
+    assert_equal etag_for("<wrapper>\n<html>\n  <p>Hello </p>\n<p>This is grand!</p>\n</html>\n</wrapper>\n"), @response.headers['ETag']
+  end
+
+  def test_should_render_formatted_template
+    get :formatted_html_erb
+    assert_equal 'formatted html erb', @response.body
+  end
+  
+  def test_should_render_formatted_xml_erb_template
+    get :formatted_xml_erb, :format => :xml
+    assert_equal '<test>passed formatted xml erb</test>', @response.body
+  end
+  
+  def test_should_render_formatted_html_erb_template
+    get :formatted_xml_erb
+    assert_equal '<test>passed formatted html erb</test>', @response.body
+  end
+  
+  def test_should_render_formatted_html_erb_template_with_faulty_accepts_header
+    @request.env["HTTP_ACCEPT"] = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, appliction/x-shockwave-flash, */*"
+    get :formatted_xml_erb
+    assert_equal '<test>passed formatted html erb</test>', @response.body
+  end
+
+  def test_should_render_html_formatted_partial
+    get :partial
+    assert_equal 'partial html', @response.body
+  end
+
+  def test_should_render_html_partial_with_dot
+    get :partial_dot_html
+    assert_equal 'partial html', @response.body
+  end
+
+  def test_should_render_html_formatted_partial_with_rjs
+    xhr :get, :partial_as_rjs
+    assert_equal %(Element.replace("foo", "partial html");), @response.body
+  end
+
+  def test_should_render_html_formatted_partial_with_rjs_and_js_format
+    xhr :get, :respond_to_partial_as_rjs
+    assert_equal %(Element.replace("foo", "partial html");), @response.body
+  end
+
+  def test_should_render_js_partial
+    xhr :get, :partial, :format => 'js'
+    assert_equal 'partial js', @response.body
+  end
+
+  def test_should_render_with_alternate_default_render
+    xhr :get, :render_alternate_default
+    assert_equal %(Element.replace("foo", "partial html");), @response.body
+  end
+
   protected
-    def assert_deprecated_render(&block)
-      assert_deprecated(/render/, &block)
+  
+    def etag_for(text)
+      %("#{Digest::MD5.hexdigest(text)}")
     end
 end

data/test/controller/request_forgery_protection_test.rb

@@ -0,0 +1,217 @@
+require File.dirname(__FILE__) + '/../abstract_unit'
+require 'digest/sha1'
+
+ActionController::Routing::Routes.draw do |map|
+  map.connect ':controller/:action/:id'
+end
+
+# simulates cookie session store
+class FakeSessionDbMan
+  def self.generate_digest(data)
+    Digest::SHA1.hexdigest("secure")
+  end
+end
+
+# common controller actions
+module RequestForgeryProtectionActions
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+  
+  def unsafe
+    render :text => 'pwn'
+  end
+  
+  def rescue_action(e) raise e end
+end
+
+# sample controllers
+class RequestForgeryProtectionController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index, :secret => 'abc'
+end
+
+class RequestForgeryProtectionWithoutSecretController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+  include RequestForgeryProtectionActions
+  protect_from_forgery :only => :index
+end
+
+class FreeCookieController < CsrfCookieMonsterController
+  self.allow_forgery_protection = false
+  
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  
+  def show_button
+    render :inline => "<%= button_to('New', '/') {} %>"
+  end
+end
+
+# common test methods
+
+module RequestForgeryProtectionTests
+  def teardown
+    ActionController::Base.request_forgery_protection_token = nil
+  end
+  
+  def test_should_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end
+  
+  def test_should_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
+  end
+
+  def test_should_allow_get
+    get :index
+    assert_response :success
+  end
+  
+  def test_should_allow_post_without_token_on_unsafe_action
+    post :unsafe
+    assert_response :success
+  end
+  
+  def test_should_not_allow_post_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { post :index }
+  end
+  
+  def test_should_not_allow_put_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { put :index }
+  end
+  
+  def test_should_not_allow_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { delete :index }
+  end
+  
+  def test_should_not_allow_xhr_post_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
+  end
+  
+  def test_should_not_allow_xhr_put_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index }
+  end
+  
+  def test_should_not_allow_xhr_delete_without_token
+    assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index }
+  end
+  
+  def test_should_allow_post_with_token
+    post :index, :authenticity_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_put_with_token
+    put :index, :authenticity_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_delete_with_token
+    delete :index, :authenticity_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_post_with_xml
+    post :index, :format => 'xml'
+    assert_response :success
+  end
+  
+  def test_should_allow_put_with_xml
+    put :index, :format => 'xml'
+    assert_response :success
+  end
+  
+  def test_should_allow_delete_with_xml
+    delete :index, :format => 'xml'
+    assert_response :success
+  end
+end
+
+# OK let's get our test on
+
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = RequestForgeryProtectionController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+
+class RequestForgeryProtectionWithoutSecretControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = RequestForgeryProtectionWithoutSecretController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+  
+  def test_should_raise_error_without_secret
+    assert_raises ActionController::InvalidAuthenticityToken do
+      get :index
+    end
+  end
+end
+
+class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+  include RequestForgeryProtectionTests
+  def setup
+    @controller = CsrfCookieMonsterController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      attr_accessor :dbman
+    end
+    # simulate a cookie session store
+    @request.session.dbman = FakeSessionDbMan
+    @token = Digest::SHA1.hexdigest("secure")
+    ActionController::Base.request_forgery_protection_token = :authenticity_token
+  end
+end
+
+class FreeCookieControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = FreeCookieController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @token      = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+  end
+  
+  def test_should_not_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+  
+  def test_should_not_render_button_to_with_token_tag
+    get :show_button
+    assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
+  end
+  
+  def test_should_allow_all_methods_without_token
+    [:post, :put, :delete].each do |method|
+      assert_nothing_raised { send(method, :index)}
+    end
+  end
+end