forme 1.12.0 → 2.2.0

data/spec/rails_integration_spec.rb

@@ -1,7 +1,6 @@
-require File.join(File.dirname(File.expand_path(__FILE__)), 'spec_helper.rb')
-require File.join(File.dirname(File.expand_path(__FILE__)), 'sequel_helper.rb')
+require_relative 'spec_helper'
+require_relative 'sequel_helper'
 
-require 'rubygems'
 begin
   require 'action_controller/railtie'
 
@@ -9,23 +8,22 @@ begin
     require 'active_pack/gem_version'
   rescue LoadError
   end
-  require 'forme/rails'
+  require_relative '../lib/forme/rails'
 
   if Rails.respond_to?(:version) && Rails.version.start_with?('4')
     # Work around issue in backported openssl environments where
     # secret is 64 bytes intead of 32 bytes
     require 'active_support/message_encryptor'
-    ActiveSupport::MessageEncryptor.send :prepend, Module.new {
-      def initialize(secret, *signature_key_or_options)
-        secret = secret[0, 32]
-        super
-      end
-    }
+    def (ActiveSupport::MessageEncryptor).new(secret, *signature_key_or_options)
+      obj = allocate
+      obj.send(:initialize, secret[0, 32], *signature_key_or_options)
+      obj
+    end
   end
 
   class FormeRails < Rails::Application
     routes.append do
-      %w'index inputs_block inputs_block_wrapper nest nest_sep nest_inputs nest_seq hash legend combined noblock noblock_post safe_buffer'.each do |action|
+      %w'index inputs_block inputs_block_wrapper nest nest_sep nest_inputs nest_seq hash legend combined noblock noblock_post safe_buffer no_forgery_protection'.each do |action|
         get action, :controller=>'forme', :action=>action
       end
     end
@@ -59,6 +57,14 @@ class FormeController < ActionController::Base
 END
   end
 
+  def no_forgery_protection
+    def self.protect_against_forgery?; false end
+    render :inline => <<END
+<%= forme(:method=>'POST') do |f| %>
+<% end %>
+END
+  end
+
   def inputs_block
     render :inline => <<END
 <%= forme([:foo, :bar], :action=>'/baz') do |f| %>
@@ -272,5 +278,9 @@ describe "Forme Rails integration" do
   it "#form should handle Rails SafeBuffers" do
     sin_get('/safe_buffer').must_equal '<form action="/baz"><fieldset class="inputs"><legend><b>foo</b></legend><input id="first" name="first" type="text" value="foo"/></fieldset><input type="submit" value="xyz"/></form>'
   end
+
+  it "#form should handle case where forgery protection is disabled" do
+    sin_get('/no_forgery_protection').must_equal '<form method="POST"> </form>'
+  end
 end
 end

data/spec/roda_integration_spec.rb

@@ -1,8 +1,7 @@
-require File.join(File.dirname(File.expand_path(__FILE__)), 'spec_helper.rb')
-require File.join(File.dirname(File.expand_path(__FILE__)), 'sequel_helper.rb')
-require File.join(File.dirname(File.expand_path(__FILE__)), 'erb_helper.rb')
+require_relative 'spec_helper'
+require_relative 'sequel_helper'
+require_relative 'erb_helper'
 
-require 'rubygems'
 begin
   require 'roda'
   require 'tilt'
@@ -17,34 +16,39 @@ rescue LoadError
   rescue LoadError
     require 'tilt/erb'
   end
-end
-
-class FormeRodaTest < Roda
-  opts[:check_dynamic_arity] = opts[:check_arity] = :warn
-  
-  if defined?(Roda::RodaVersionNumber) && Roda::RodaVersionNumber >= 30100
-    require 'roda/session_middleware'
-    opts[:sessions_convert_symbols] = true
-    use RodaSessionMiddleware, :secret=>SecureRandom.random_bytes(64), :key=>'rack.session'
-  else
-    use Rack::Session::Cookie, :secret => "__a_very_long_string__"
-  end
-
-  def erb(s, opts={})
-    render(opts.merge(:inline=>s))
+else
+  begin
+    require 'erubi/capture_end'
+    require_relative 'erubi_capture_helper'
+  rescue LoadError
   end
+end
 
-  route do |r|
-    r.get 'use_request_specific_token', :use do |use|
-      render :inline=>"[#{Base64.strict_encode64(send(:csrf_secret))}]<%= form({:method=>:post}, {:use_request_specific_token=>#{use == '1'}}) %>"
+def FormeRodaTest(block=ERB_BLOCK)
+  Class.new(Roda) do
+    opts[:check_dynamic_arity] = opts[:check_arity] = :warn
+    
+    if defined?(Roda::RodaVersionNumber) && Roda::RodaVersionNumber >= 30100
+      require 'roda/session_middleware'
+      opts[:sessions_convert_symbols] = true
+      use RodaSessionMiddleware, :secret=>SecureRandom.random_bytes(64), :key=>'rack.session'
+    else
+      use Rack::Session::Cookie, :secret => "__a_very_long_string__"
     end
-    r.get 'hidden_tags' do |use|
-      render :inline=>"<%= form({:method=>:post}, {:hidden_tags=>[{:foo=>'bar'}]}) %>"
+
+    def erb(s, opts={})
+      render(opts.merge(:inline=>s))
     end
-    r.get 'csrf', :use do |use|
-      render :inline=>"<%= form({:method=>:post}, {:csrf=>#{use == '1'}}) %>"
+
+    route do |r|
+      r.get 'use_request_specific_token', :use do |use|
+        render :inline=>"[#{Base64.strict_encode64(send(:csrf_secret))}]<%= form({:method=>:post}, {:use_request_specific_token=>#{use == '1'}}) %>"
+      end
+      r.get 'csrf', :use do |use|
+        render :inline=>"<%= form({:method=>:post}, {:csrf=>#{use == '1'}}) %>"
+      end
+      instance_exec(r, &block)
     end
-    instance_exec(r, &ERB_BLOCK)
   end
 end
 
@@ -54,7 +58,7 @@ rescue LoadError
   warn "unable to load rack/csrf, skipping roda csrf plugin spec"
 else
 describe "Forme Roda ERB integration with roda forme and csrf plugins" do
-  app = FormeRodaCSRFTest = Class.new(FormeRodaTest)
+  app = FormeRodaCSRFTest = FormeRodaTest()
   app.plugin :csrf
   app.plugin :forme
   
@@ -68,64 +72,85 @@ describe "Forme Roda ERB integration with roda forme and csrf plugins" do
 end
 end
 
+module FormeRouteCsrfSpecs
+  extend Minitest::Spec::DSL
+  include FormeErbSpecs
+
+  it "should have a valid CSRF tag" do
+    output = sin_get('/use_request_specific_token/1')
+    output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
+    secret = $1
+    token = $2
+    app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/1', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal true
+    app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/2', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal false
+  end
+
+  it "should handle the :use_request_specific_token => true option" do
+    output = sin_get('/use_request_specific_token/1')
+    output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
+    secret = $1
+    token = $2
+    app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/1', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal true
+    app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/2', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal false
+  end
+
+  it "should handle the :use_request_specific_token => false option" do
+    output = sin_get('/use_request_specific_token/0')
+    output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
+    secret = $1
+    token = $2
+    app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/0', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal(plugin_opts.empty? ? false : true)
+  end
+
+  it "should handle the :csrf option" do
+    sin_get('/csrf/1').must_include '<input name="_csrf" type="hidden" value="'
+    sin_get('/csrf/0').wont_include '<input name="_csrf" type="hidden" value="'
+  end
+end
+
 begin
   require 'roda/plugins/route_csrf'
+  require 'roda/plugins/capture_erb'
+  require 'roda/plugins/inject_erb'
 rescue LoadError
-  warn "unable to load roda/plugins/route_csrf, skipping forme_route_csrf plugin spec"
+  warn "unable to load necessary Roda plugins, skipping forme_erubi_capture plugin spec"
 else
+describe "Forme Roda Erubi::CaptureEnd integration with roda forme_route_csrf" do
+  app = FormeRodaTest(ERUBI_CAPTURE_BLOCK)
+  app.plugin :forme_erubi_capture
+  app.plugin :render, :engine_opts=>{'erb'=>{:engine_class=>Erubi::CaptureEndEngine}}
+
+  define_method(:app){app}
+  define_method(:plugin_opts){{}}
+  define_method(:sin_get) do |path|
+    s = String.new
+    app.call(@rack.merge('PATH_INFO'=>path))[2].each{|str| s << str}
+    s.gsub(/\s+/, ' ').strip
+  end
+
+  include FormeRouteCsrfSpecs
+end if defined?(ERUBI_CAPTURE_BLOCK)
+
 [{}, {:require_request_specific_tokens=>false}].each do |plugin_opts|
   describe "Forme Roda ERB integration with roda forme_route_csrf and route_csrf plugin with #{plugin_opts}" do
-    app = Class.new(FormeRodaTest)
+    app = FormeRodaTest()
     app.plugin :forme_route_csrf
     app.plugin :route_csrf, plugin_opts
 
+    define_method(:app){app}
+    define_method(:plugin_opts){plugin_opts}
     define_method(:sin_get) do |path|
       s = String.new
       app.call(@rack.merge('PATH_INFO'=>path))[2].each{|str| s << str}
       s.gsub(/\s+/, ' ').strip
     end
 
-    include FormeErbSpecs
-
-    it "should handle the :hidden_tags option" do
-      output = sin_get('/use_request_specific_token/1')
-      output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
-      secret = $1
-      token = $2
-      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/1', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal true
-      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/2', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal false
-    end
-
-    it "should handle the :use_request_specific_token => true option" do
-      output = sin_get('/use_request_specific_token/1')
-      output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
-      secret = $1
-      token = $2
-      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/1', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal true
-      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/2', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal false
-    end
-
-    it "should handle the :use_request_specific_token => false option" do
-      output = sin_get('/use_request_specific_token/0')
-      output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
-      secret = $1
-      token = $2
-      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/0', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal(plugin_opts.empty? ? false : true)
-    end
-
-    it "should handle the :hidden_tags option" do
-      sin_get('/hidden_tags').must_include 'name="foo" type="hidden" value="bar"'
-    end
-
-    it "should handle the :csrf option" do
-      sin_get('/csrf/1').must_include '<input name="_csrf" type="hidden" value="'
-      sin_get('/csrf/0').wont_include '<input name="_csrf" type="hidden" value="'
-    end
+    include FormeRouteCsrfSpecs
   end
 
   describe "Forme Roda ERB Sequel integration with roda forme_set plugin and route_csrf plugin with #{plugin_opts}" do
     before do
-      @app = Class.new(FormeRodaTest)
+      @app = FormeRodaTest()
       @app.plugin :route_csrf, plugin_opts
       @app.plugin(:forme_set, :secret=>'1'*64)
 
@@ -147,13 +172,18 @@ else
     def _forme_set(meth, obj, orig_hash, *form_args, &block)
       hash = {}
       forme_set_block = orig_hash.delete(:forme_set_block)
+      handle_params = hash.delete(:handle_params)
       orig_hash.each{|k,v| hash[k.to_s] = v}
-      album = @ab
+      album = obj
       ret, _, data, hmac = nil
       
       @app.route do |r|
         r.get do
-          form(*env[:args], &env[:block]).to_s
+          if @block = env[:block]
+            render(:inline=>'<% form(*env[:args]) do |f| %><%= @block.call(f) %><% end %>')
+          else
+            form(*env[:args])
+          end
         end
         r.post do
           r.params.replace(env[:params])
@@ -167,12 +197,32 @@ else
       data = $2
       hmac = $3
       data.gsub!("&quot;", '"') if data
-      h = {"album"=>hash,  "_forme_set_data"=>data, "_forme_set_data_hmac"=>hmac, "_csrf"=>csrf}
+      h = {"album"=>hash,  "_forme_set_data"=>data, "_forme_set_data_hmac"=>hmac, "_csrf"=>csrf, "body"=>body}
       if data && hmac
+        h = handle_params.call(h) if handle_params
         forme_call(h)
       end
       meth == :forme_parse ? ret : h
     end
+    
+    it "should have subform work correctly" do
+      @app.route do |r|
+        @album = Album.load(:name=>'N', :copies_sold=>2, :id=>1)
+        @album.associations[:artist] = Artist.load(:name=>'A', :id=>2)
+        erb <<END
+0
+<% form(@album, {:action=>'/baz'}, :button=>'Sub') do |f| %>
+  1
+  <%= f.subform(:artist, :inputs=>[:name], :legend=>'Foo', :grid=>true, :labels=>%w'Name') %>
+  2
+<% end %>
+3
+END
+      end
+
+      body = @app.call('REQUEST_METHOD'=>'GET')[2].join.gsub("\n", ' ').gsub(/  +/, ' ').chomp(' ')
+      body.sub(%r{<input name="_csrf" type="hidden" value="([^"]+)"/>}, '<input name="_csrf" type="hidden" value="csrf"/>').must_equal '0 <form action="/baz" class="forme album" method="post"><input name="_csrf" type="hidden" value="csrf"/> 1 <input id="album_artist_attributes_id" name="album[artist_attributes][id]" type="hidden" value="2"/><table><caption>Foo</caption><thead><tr><th>Name</th></tr></thead><tbody><tr><td class="string"><input id="album_artist_attributes_name" maxlength="255" name="album[artist_attributes][name]" type="text" value="A"/></td></tr></tbody></table> 2 <input type="submit" value="Sub"/></form>3'
+    end
 
     it "#forme_set should include HMAC values if form includes inputs for obj" do
       h = forme_set(@ab, :name=>'Foo')
@@ -196,6 +246,18 @@ else
       @ab.copies_sold.must_be_nil
     end
 
+    it "#forme_set handle missing csrf" do
+      h = forme_set(@ab, :name=>'Foo'){|f| f.input(:name)}
+      @ab.name = nil
+      data = JSON.parse(h["_forme_set_data"])
+      data.delete('csrf')
+      data = data.to_json
+      hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA512.new, '1'*64, data)
+      forme_call(h.merge("_forme_set_data_hmac"=>hmac, "_forme_set_data"=>data))
+      @ab.name.must_equal 'Foo'
+      @ab.copies_sold.must_be_nil
+    end
+
     it "#forme_set should handle custom form namespaces" do
       forme_set(@ab, {"album"=>{"name"=>'Foo', 'copies_sold'=>'100'}}, {}, :namespace=>'album'){|f| f.input(:name); f.input(:copies_sold)}
       @ab.name.must_equal 'Foo'
@@ -469,6 +531,10 @@ else
       @ab.forme_validations.merge!(hash[:validations])
       @ab.valid?.must_equal true
     end
+
+    it "should handle forms with objects that don't support forme_inputs" do
+      forme_set(String, {:name=>'Foo'}, {}, :inputs=>[:name])['body'].must_equal '<form><fieldset class="inputs"><input id="name" name="name" type="text" value="String"/></fieldset></form>'
+    end
   end
 end
 end

data/spec/sequel_helper.rb

@@ -1,7 +1,6 @@
-require 'rubygems'
 require 'sequel'
 
-db_url = defined?(RUBY_ENGINE) && RUBY_ENGINE == 'jruby' ? 'jdbc:sqlite::memory:' : 'sqlite:/'
+db_url = RUBY_ENGINE == 'jruby' ? 'jdbc:sqlite::memory:' : 'sqlite:/'
 DB = Sequel.connect(db_url, :identifier_mangling=>false)
 DB.extension(:freeze_datasets)
 Sequel.default_timezone = :utc
@@ -18,6 +17,8 @@ DB.create_table(:albums) do
   Date :release_date
   DateTime :created_at
   Integer :copies_sold
+  Float :fl
+  BigDecimal :bd
 end
 DB.create_table(:album_infos) do
   primary_key :id

data/spec/sequel_i18n_helper.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(File.expand_path(__FILE__)), 'sequel_helper.rb')
+require_relative 'sequel_helper'
 
 gem 'i18n', '>= 0.7.0'
 require 'i18n'

data/spec/sequel_i18n_plugin_spec.rb

@@ -1,8 +1,8 @@
-require File.join(File.dirname(File.expand_path(__FILE__)), 'spec_helper.rb')
+require_relative 'spec_helper'
 
 begin
   raise LoadError if defined?(JRUBY_VERSION) && /\A9\.2\./.match(JRUBY_VERSION)
-  require File.join(File.dirname(File.expand_path(__FILE__)), 'sequel_i18n_helper.rb')
+  require_relative 'sequel_i18n_helper'
 rescue LoadError
   warn "unable to load i18n, skipping i18n Sequel plugin spec"
 else
@@ -13,19 +13,19 @@ describe "Forme Sequel::Model forms" do
   end
 
   it "should not change the usual label input if translation is not present" do
-    @b.input(:name).to_s.must_equal '<label>Name: <input id="invoice_name" maxlength="255" name="invoice[name]" type="text" value="b"/></label>'
+    @b.input(:name).must_equal '<label>Name: <input id="invoice_name" maxlength="255" name="invoice[name]" type="text" value="b"/></label>'
   end
 
   it "should use the translation for the label if present" do
-    @b.input(:summary).to_s.must_equal '<label>Brief Description: <input id="invoice_summary" maxlength="255" name="invoice[summary]" type="text" value="a brief summary"/></label>'
+    @b.input(:summary).must_equal '<label>Brief Description: <input id="invoice_summary" maxlength="255" name="invoice[summary]" type="text" value="a brief summary"/></label>'
   end
 
   it "should not change the usual legend for the subform if the translation is not present" do
-    Forme.form(Firm[1]){|f| f.subform(:invoices){ f.input(:name) }}.to_s.must_equal '<form class="forme firm" method="post"><input id="firm_invoices_attributes_0_id" name="firm[invoices_attributes][0][id]" type="hidden" value="1"/><fieldset class="inputs"><legend>Invoice #1</legend><label>Name: <input id="firm_invoices_attributes_0_name" maxlength="255" name="firm[invoices_attributes][0][name]" type="text" value="b"/></label></fieldset></form>'
+    Forme.form(Firm[1]){|f| f.subform(:invoices){ f.input(:name) }}.must_equal '<form class="forme firm" method="post"><input id="firm_invoices_attributes_0_id" name="firm[invoices_attributes][0][id]" type="hidden" value="1"/><fieldset class="inputs"><legend>Invoice #1</legend><label>Name: <input id="firm_invoices_attributes_0_name" maxlength="255" name="firm[invoices_attributes][0][name]" type="text" value="b"/></label></fieldset></form>'
   end
 
   it "should use the translation for the legend on the subform if present" do
-    Forme.form(Firm[1]){|f| f.subform(:clients){ f.input(:name) }}.to_s.must_equal '<form class="forme firm" method="post"><input id="firm_clients_attributes_0_id" name="firm[clients_attributes][0][id]" type="hidden" value="1"/><fieldset class="inputs"><legend>Clientes</legend><label>Name: <input id="firm_clients_attributes_0_name" maxlength="255" name="firm[clients_attributes][0][name]" type="text" value="a great client"/></label></fieldset></form>'
+    Forme.form(Firm[1]){|f| f.subform(:clients){ f.input(:name) }}.must_equal '<form class="forme firm" method="post"><input id="firm_clients_attributes_0_id" name="firm[clients_attributes][0][id]" type="hidden" value="1"/><fieldset class="inputs"><legend>Clientes</legend><label>Name: <input id="firm_clients_attributes_0_name" maxlength="255" name="firm[clients_attributes][0][name]" type="text" value="a great client"/></label></fieldset></form>'
   end
 end
 end