forme 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c126daca3403b2140b2059d04c6ef405a11f8d56418ce4e971025ee8f861ec2
-  data.tar.gz: 347c183344c4fe77f42753d0ec0515ce11065e648a9d37d14665b7d10fb090ed
+  metadata.gz: bd9180036757136c1db6fac34b523812491b687be4395d87ef09efee4066d85b
+  data.tar.gz: a627b8fdde2c50d73e28b9a7d9d66545de2df0e180dd06832beea3c4990db04c
 SHA512:
-  metadata.gz: 220b3e73af81b0db1f4187ba2f65505b775780ff8b9459d3b95f139d5160fcaa3eacf5e2172b5f9e883c7f7fc9bf7b4bb23ef05b54abbf815fe2d481844a5038
-  data.tar.gz: 5742f5edf32047920fb23f73bdd86a3c29823d1c2f9b0834718a304d157cabea627767448c534e9b2a0e21c0ab78dbb240c66692706bb68c59e84c1a9c618c2a
+  metadata.gz: 489e5bf2d0d1d3af91e85c36e864775395ff6aede61c591e519c951118add014491e6b9d1b01e10364408fafcc8cc51aeffdcf43a21ea8fe2f247e0932d6acd7
+  data.tar.gz: f6aa875870c75b068b2fd91846f2deba8e3f3304797c945895469e0903797ad0a9eb7a425b8185a3e707e13f30c02f3cb879a43c0d412b1c09f630d9eeefc526

data/CHANGELOG

@@ -1,3 +1,19 @@
+=== 1.8.0 (2018-06-11)
+
+* Add support for :errors form option for setting error information for multiple inputs, similar to :values form option (adam12) (#32)
+
+* Add Roda forme_route_csrf plugin using route_csrf plugin for request-specific CSRF tokens (jeremyevans)
+
+* Add forme_default_request_method as a method to check for object forms, setting the default form method (jeremyevans)
+
+* Support :dasherize_data input option to convert underscores to dashes for :data hash symbol keys (janko-m) (#29)
+
+* Omit labels for hidden inputs in Sequel plugin (janko-m) (#27)
+
+* Allow use of :type option for specifying input type when using an associated object that doesn't respond to forme_input (janko-m) (#25)
+
+* Ignore default values for Sequel inputs when type: :file option is used (janko-m) (#24)
+
 === 1.7.0 (2018-02-07)
 
 * Have radioset and checkboxset inputs respect :error_attr option (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2017 Jeremy Evans
+Copyright (c) 2011-2018 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -242,15 +242,20 @@ object responds to +forme_input+, calls forme_input with the argument and option
   f = Forme::Form.new(obj)
   f.input(:field) # '<input id="obj_field" name="obj[field]" type="text" value="foo"/>'
 
-If the form has an associated object, and that object does not respond to +forme_iuput+,
+If the form has an associated object, and that object does not respond to +forme_input+,
 calls the method on the object (or uses [] if the object is a hash), and uses the result
-as the value:
+as the value for a text input:
 
   f = Forme::Form.new([:foo])
   f.input(:first) # '<input id="first" name="first" type="text" value="foo"/>'
-  
-If the form does not have an assocaited object, uses the first argument as the input
-type:
+
+If the object does not respond to +forme_input+, you can change the type of the input
+via the +:type+ option:
+
+  f = Forme::Form.new(obj)
+  f.input(:field, :type=>:email) # '<input id="obj_field" name="obj[field]" type="email" value="foo"/>'
+
+If the form does not have an associated object, the first argument is used as the input type:
 
   f = Forme::Form.new
   f.input(:text) # '<input type="text" />'
@@ -419,7 +424,7 @@ these additional options to the #input method:
 :true_label :: The value to use for the true label, 'Yes' by default.
 :true_value :: The value to use for the true input, 't' by default.
 
-== string
+=== string
 
 :as :: Can be set to :textarea to use a textarea input. You can use the usual attributes hash or a stylesheet to 
        control the size of the textarea.
@@ -688,12 +693,45 @@ plugins:
 
 forme_i18n :: Handles translations for labels using i18n.
 
-= ERB Support
+= Roda Support
+
+Forme ships with two Roda plugins, forme and forme_route_csrf.  For new code, it is
+recommended to use forme_route_csrf, as that uses Roda's route_csrf plugin, which
+supports more secure request-specific CSRF tokens.  In both cases, usage in ERB
+templates is the same:
+
+  <% form(@obj, :action=>'/foo') do |f| %>
+    <%= f.input(:field) %>
+    <% f.tag(:fieldset) do %>
+      <%= f.input(:field_two) %>
+    <% end %>
+  <% end %>
+
+The forme_route_csrf plugin's +form+ method supports the following options
+in addition to the default +Forme.form+ options:
+
+:csrf :: Set to force whether a CSRF tag should be included.  By default, a CSRF
+         tag is included if the form's method is one of the request methods checked
+         by the Roda route_csrf plugin.
+:use_request_specific_token :: Set whether to force the use of a request specific
+                               CSRF token.  By default, uses a request specific
+                               CSRF token unless the Roda route_csrf plugin has been
+                               configured to support non-request specific tokens.
+
+The forme plugin does not require any csrf plugin, but will transparently use
+Rack::Csrf if it is available. If Rack::Csrf is available a CSRF tag if the form's
+method is +POST+, with no configuration ability.
+
+Both plugins also support the following option:
+
+:output :: The object that the form output should be injected into when
+           injecting output (+@_out_buf+ by default).
+
+= Sinatra Support
 
 Forme ships with a ERB extension that you can get by <tt>require "forme/erb"</tt> and using
-<tt>including Forme::ERB::Helper</tt>.  This is tested to support ERB templates in both the
-Sinatra and Roda web frameworks.  It allows you to use the following API in your erb
-templates:
+<tt>including Forme::ERB::Helper</tt>.  This is tested to support ERB templates in Sinatra.
+It allows you to use the following API in your erb templates:
 
   <% form(@obj, :action=>'/foo') do |f| %>
     <%= f.input(:field) %>
@@ -718,7 +756,7 @@ in your Rails forms:
     <% end %>
   <% end %>
 
-This has been tested on Rails 3.2-4.1, but should hopefully work on Rails 3.0+.
+This has been tested on Rails 3.2-5.2.
 
 = Input Types and Options
 
@@ -734,6 +772,9 @@ These options are supported by all of the input types:
 :autofocus :: Set the autofocus attribute if true
 :class :: A class to use.  Unlike other options, this is combined with the
           classes set in the :attr hash.
+:dasherize_data :: Automatically replace underscores with hyphens for symbol
+                   data attribute names in the +:data+ hash. Defaults to
+                   +false+.
 :data :: A hash of data-* attributes for the resulting tag.  Keys in this hash
          will have attributes created with data- prepended to the attribute name.
 :disabled :: Set the disabled attribute if true
@@ -746,8 +787,11 @@ These options are supported by all of the input types:
 :label :: Set a label, invoking the labeler
 :labeler :: Set a custom labeler, overriding the form's default
 :name :: The name attribute to use
+:obj :: Set the form object, overriding the form's default
 :placeholder :: The placeholder attribute to use
 :required :: Set the required attribute if true
+:type :: Override the type of the input when the form has an associated object
+         but the object does not respond to +forme_input+
 :value :: The value attribute to use for input tags, the content of the textarea
           for textarea tags, or the selected option(s) for select tags.
 :wrapper :: Set a custom wrapper, overriding the form's default
@@ -779,7 +823,7 @@ creates multiple select options. Options:
           (:date default: <tt>[:year, '-', :month, '-', :day]</tt>)
           (:datetime default: <tt>[:year, '-', :month, '-', :day, ' ', :hour, ':', :minute, ':', :second]</tt>)
 :select_options :: The options to use for the select boxes.  Should be a hash keyed by the
-                  symbol used in order (e.g. <tt>{:year=>1970..2020}</tt>)
+                   symbol used in order (e.g. <tt>{:year=>1970..2020}</tt>)
 
 === :select
 
@@ -846,6 +890,8 @@ the defaults for Inputs created via the form:
 
 :config :: The configuration to use, which automatically sets defaults
            for the transformers to use.
+:errors :: A Hash of errors from a previous form submission, used to set
+           default errors for inputs when the inputs use the :key option.
 :error_handler :: Sets the default error_handler for the form's inputs
 :helper :: Sets the default helper for the form's inputs
 :formatter :: Sets the default formatter for the form's inputs

data/lib/forme/erb.rb

@@ -1,6 +1,6 @@
 # frozen-string-literal: true
 
-require 'forme'
+require 'forme/erb_form'
 
 module Forme
   module ERB 
@@ -16,77 +16,11 @@ module Forme
 
     # Add CSRF token tag by default for POST forms
     add_hidden_tag do |tag|
-      if defined?(::Rack::Csrf) && (form = tag.form) && (env = form.opts[:env]) && env['rack.session'] && tag.attr[:method].to_s.upcase == 'POST'
+      if defined?(::Rack::Csrf) && (form = tag.form) && (env = form.opts[:env]) && env['rack.session'] && (tag.attr[:method] || tag.attr['method']).to_s.upcase == 'POST'
         {::Rack::Csrf.field=>::Rack::Csrf.token(env)}
       end
     end
 
-    # Subclass used when using Forme ERB integration.
-    # Handles integrating into the view template so that
-    # methods with blocks can inject strings into the output.
-    class Form < ::Forme::Form
-      # Template output object, where serialized output gets
-      # injected.
-      attr_reader :output
-
-      # Set the template output object when initializing.
-      def initialize(*)
-        super
-        @output = @opts[:output] ? @opts[:output] : String.new
-      end
-
-      # Serialize the tag and inject it into the output.
-      def emit(tag)
-        output << tag.to_s
-      end
-
-      # Capture the inside of the inputs, injecting it into the template
-      # if a block is given, or returning it as a string if not.
-      def inputs(*a, &block)
-        if block
-          capture(block){super}
-        else
-          capture{super}
-        end
-      end
-
-      # Capture the inside of the form, injecting it into the template if
-      # a block is given, or returning it as a string if not.
-      def form(*a, &block)
-        if block
-          capture(block){super}
-        else
-          super
-        end
-      end
-
-      # If a block is given, inject an opening tag into the
-      # output, inject any given children into the output, yield to the
-      # block, inject a closing tag into the output.
-      # If a block is not given, just return the tag created.
-      def tag(type, attr={}, children=[], &block)
-        tag = _tag(type, attr, children)
-        if block
-          capture(block) do
-            emit(serialize_open(tag))
-            Array(tag.children).each{|c| emit(c)}
-            yield self
-            emit(serialize_close(tag))
-          end
-        else
-          tag
-        end
-      end
-
-      def capture(block=String.new) # :nodoc:
-        buf_was, @output = @output, block.is_a?(Proc) ? (eval("@_out_buf", block.binding) || @output) : block
-        yield
-        ret = @output
-        @output = buf_was
-        ret
-      end
-    end
-    
     # This is the module used to add the Forme integration
     # to ERB.
     module Helper 

data/lib/forme/erb_form.rb

@@ -0,0 +1,74 @@
+# frozen-string-literal: true
+
+require 'forme'
+
+module Forme
+  module ERB 
+    # Subclass used when using Forme ERB integration.
+    # Handles integrating into the view template so that
+    # methods with blocks can inject strings into the output.
+    class Form < ::Forme::Form
+      # Template output object, where serialized output gets
+      # injected.
+      attr_reader :output
+
+      # Set the template output object when initializing.
+      def initialize(*)
+        super
+        @output = @opts[:output] ? @opts[:output] : String.new
+      end
+
+      # Serialize the tag and inject it into the output.
+      def emit(tag)
+        output << tag.to_s
+      end
+
+      # Capture the inside of the inputs, injecting it into the template
+      # if a block is given, or returning it as a string if not.
+      def inputs(*a, &block)
+        if block
+          capture(block){super}
+        else
+          capture{super}
+        end
+      end
+
+      # Capture the inside of the form, injecting it into the template if
+      # a block is given, or returning it as a string if not.
+      def form(*a, &block)
+        if block
+          capture(block){super}
+        else
+          super
+        end
+      end
+
+      # If a block is given, inject an opening tag into the
+      # output, inject any given children into the output, yield to the
+      # block, inject a closing tag into the output.
+      # If a block is not given, just return the tag created.
+      def tag(type, attr={}, children=[], &block)
+        tag = _tag(type, attr, children)
+        if block
+          capture(block) do
+            emit(serialize_open(tag))
+            Array(tag.children).each{|c| emit(c)}
+            yield self
+            emit(serialize_close(tag))
+          end
+        else
+          tag
+        end
+      end
+
+      def capture(block=String.new) # :nodoc:
+        buf_was, @output = @output, block.is_a?(Proc) ? (eval("@_out_buf", block.binding) || @output) : block
+        yield
+        ret = @output
+        @output = buf_was
+        ret
+      end
+    end
+  end
+end
+

data/lib/forme/form.rb

@@ -103,6 +103,9 @@ module Forme
 
     # Create a form tag with the given attributes.
     def form(attr={}, &block)
+      if obj && !attr[:method] && !attr['method'] && obj.respond_to?(:forme_default_request_method)
+        attr = attr.merge('method'=>obj.forme_default_request_method)
+      end
       tag(:form, attr, method(:hidden_form_tags), &block)
     end
 
@@ -138,14 +141,15 @@ module Forme
         else
           opts = opts.dup
           opts[:key] = field unless opts.has_key?(:key)
-          unless opts.has_key?(:value)
+          type = opts.delete(:type) || :text
+          unless opts.has_key?(:value) || type == :file
             opts[:value] = if obj.is_a?(Hash)
               obj[field]
             else
               obj.send(field)
             end
           end
-          _input(:text, opts)
+          _input(type, opts)
         end
       else
         _input(field, opts)

data/lib/forme/rails.rb

@@ -20,7 +20,7 @@ module Forme
 
     # Add CSRF token tag by default for POST forms
     add_hidden_tag do |tag|
-      if (form = tag.form) && (template = form.template) && template.protect_against_forgery? && tag.attr[:method].to_s.upcase == 'POST'
+      if (form = tag.form) && (template = form.template) && template.protect_against_forgery? && (tag.attr[:method] || tag.attr['method']).to_s.upcase == 'POST'
         {template.request_forgery_protection_token=>template.form_authenticity_token}
       end
     end

data/lib/forme/transformers/formatter.rb

@@ -316,12 +316,14 @@ module Forme
       copy_options_to_attributes(ATTRIBUTE_OPTIONS)
       copy_boolean_options_to_attributes(ATTRIBUTE_BOOLEAN_OPTIONS)
       handle_key_option
+      handle_errors_option
 
       Forme.attr_classes(@attr, @opts[:class]) if @opts.has_key?(:class)
       Forme.attr_classes(@attr, 'error') if @opts[:error]
 
       if data = opts[:data]
         data.each do |k, v|
+          k = k.to_s.tr("_", "-") if k.is_a?(Symbol) && input.opts[:dasherize_data]
           sym = :"data-#{k}"
           @attr[sym] = v unless @attr.has_key?(sym)
         end
@@ -347,6 +349,14 @@ module Forme
       end
     end
 
+    def handle_errors_option
+      if key = @opts[:key]
+        if !@attr.has_key?(:error) && !@attr.has_key?("error") && (errors = @form.opts[:errors])
+          set_error_from_namespaced_errors(namespaces, errors, key)
+        end
+      end
+    end
+
     # Array of namespaces to use for the input
     def namespaces
       input.form_opts[:namespace]
@@ -385,6 +395,16 @@ module Forme
       @attr[:value] = values.fetch(key){values.fetch(key.to_s){return}}
     end
 
+    def set_error_from_namespaced_errors(namespaces, errors, key)
+      namespaces.each do |ns|
+        e = errors[ns] || errors[ns.to_s]
+        return unless e
+        errors = e
+      end
+
+      @opts[:error] = errors.fetch(key){errors.fetch(key.to_s){return}}
+    end
+
     # If :optgroups option is present, iterate over each of the groups
     # inside of it and create options for each group.  Otherwise, if
     # :options option present, iterate over it and create options.

data/lib/forme/version.rb

@@ -1,8 +1,22 @@
 # frozen-string-literal: true
 
 module Forme
+  # The major version of Forme, updated only for major changes that are
+  # likely to require modification to apps using Forme.
+  MAJOR = 1
+
+  # The minor version of Forme, updated for new feature releases of Forme.
+  MINOR = 8
+
+  # The patch version of Forme, updated only for bug fixes from the last
+  # feature release.
+  TINY = 0
+
   # Version constant, use <tt>Forme.version</tt> instead.
-  VERSION = '1.7.0'.freeze
+  VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze
+
+  # The full version of Forme as a number (1.8.0 => 10800)
+  VERSION_NUMBER = MAJOR*10000 + MINOR*100 + TINY
 
   # Returns the version as a frozen string (e.g. '0.1.0')
   def self.version

data/lib/roda/plugins/forme_route_csrf.rb

@@ -0,0 +1,60 @@
+# frozen-string-literal: true
+
+require 'forme/erb_form'
+
+class Roda
+  module RodaPlugins
+    module FormeRouteCsrf
+      # Require the render plugin, since forme template integration
+      # only makes sense with it.
+      def self.load_dependencies(app)
+        app.plugin :render
+        app.plugin :route_csrf
+      end
+
+      module InstanceMethods
+        # Create a +Form+ object tied to the current output buffer,
+        # using the standard ERB hidden tags.
+        def form(obj=nil, attr={}, opts={}, &block)
+          if obj.is_a?(Hash)
+            attribs = obj
+            options = attr = attr.dup
+          else
+            attribs = attr
+            options = opts = opts.dup
+          end
+
+          apply_csrf = options[:csrf]
+
+          if apply_csrf || apply_csrf.nil?
+            unless method = attribs[:method] || attribs['method']
+              if obj && !obj.is_a?(Hash) && obj.respond_to?(:forme_default_request_method)
+                method = obj.forme_default_request_method
+              end
+            end
+          end
+
+          if apply_csrf.nil?
+            apply_csrf = csrf_options[:check_request_methods].include?(method.to_s.upcase)
+          end
+
+          if apply_csrf
+            token = if options.fetch(:use_request_specific_token){use_request_specific_csrf_tokens?}
+              csrf_token(csrf_path(attribs[:action]), method)
+            else
+              csrf_token
+            end
+
+            options[:hidden_tags] ||= []
+            options[:hidden_tags] += [{csrf_field=>token}]
+          end
+
+          options[:output] = @_out_buf if block
+          ::Forme::ERB::Form.form(obj, attr, opts, &block)
+        end
+      end
+    end
+
+    register_plugin(:forme_route_csrf, FormeRouteCsrf)
+  end
+end

data/lib/sequel/plugins/forme.rb

@@ -21,7 +21,6 @@ module Sequel # :nodoc:
         # Use the post method by default for Sequel forms, unless
         # overridden with the :method attribute.
         def form(attr={}, &block)
-          attr = {:method=>:post}.merge(attr)
           attr[:class] = ::Forme.merge_classes(attr[:class], "forme", obj.forme_namespace)
           super(attr, &block)
         end
@@ -382,10 +381,21 @@ module Sequel # :nodoc:
 
         # Use a file type for blobs.
         def input_blob(sch)
+          input_file(sch)
+        end
+
+        # Ignore any default values for file inputs.
+        def input_file(sch)
           opts[:value] = nil
           standard_input(:file)
         end
 
+        # Use hidden inputs without labels.
+        def input_hidden(sch)
+          opts[:label] = nil
+          standard_input(:hidden)
+        end
+
         # Use the text type by default for other cases not handled.
         def input_string(sch)
           if opts[:as] == :textarea
@@ -482,6 +492,10 @@ module Sequel # :nodoc:
           SequelInput.new(self, form, field, opts).input
         end
 
+        def forme_default_request_method
+          'post'
+        end
+
         # Use the underscored model name as the default namespace.
         def forme_namespace
           model.send(:underscore, model.name)

data/spec/all.rb

@@ -1,3 +1,2 @@
-require 'rubygems'
 $: << 'lib'
 Dir['./spec/*_spec.rb'].each{|f| require f}

data/spec/bs3_spec.rb

@@ -604,7 +604,7 @@ describe "Forme Bootstrap3 (BS3) forms" do
   end
 
   it "should format bigdecimals in standard notation" do
-    @f.tag(:div, :foo=>BigDecimal.new('10000.010')).to_s.must_equal '<div foo="10000.01"></div>'
+    @f.tag(:div, :foo=>BigDecimal('10000.010')).to_s.must_equal '<div foo="10000.01"></div>'
   end
 
   it "inputs should accept a :wrapper option to use a custom wrapper" do

data/spec/forme_spec.rb

@@ -114,6 +114,18 @@ describe "Forme plain forms" do
     end
   end
 
+  it "should consider form's :errors hash based on the :key option" do
+    @f.opts[:errors] = { 'foo' => 'must be present' }
+    @f.input(:text, :key=>"foo").to_s.must_equal "<input class=\"error\" id=\"foo\" name=\"foo\" type=\"text\"/><span class=\"error_message\">must be present</span>"
+  end
+
+  it "should consider form's :errors hash based on the :key option when using namespaces" do
+    @f.opts[:errors] = { 'bar' => { 'foo' => 'must be present' } }
+    @f.with_opts(:namespace=>['bar']) do
+      @f.input(:text, :key=>"foo").to_s.must_equal "<input class=\"error\" id=\"bar_foo\" name=\"bar[foo]\" type=\"text\"/><span class=\"error_message\">must be present</span>"
+    end
+  end
+
   it "should support a with_obj method that changes the object and namespace for the given block" do
     @f.with_obj([:a, :c], 'bar') do
       @f.input(:first).to_s.must_equal '<input id="bar_first" name="bar[first]" type="text" value="a"/>'
@@ -195,6 +207,14 @@ describe "Forme plain forms" do
     @f.input(:text, :data=>{:bar=>"foo"}).to_s.must_equal '<input data-bar="foo" type="text"/>'
   end
 
+  it "should replace underscores with hyphens in symbol :data keys when :dasherize_data is set" do
+    @f.input(:text, :data=>{:foo_bar=>"baz"}).to_s.must_equal '<input data-foo_bar="baz" type="text"/>'
+    @f.input(:text, :data=>{"foo_bar"=>"baz"}).to_s.must_equal '<input data-foo_bar="baz" type="text"/>'
+
+    @f.input(:text, :data=>{:foo_bar=>"baz"}, :dasherize_data => true).to_s.must_equal '<input data-foo-bar="baz" type="text"/>'
+    @f.input(:text, :data=>{"foo_bar"=>"baz"}, :dasherize_data => true).to_s.must_equal '<input data-foo_bar="baz" type="text"/>'
+  end
+
   it "should not have standard options override the :attr option" do
     @f.input(:text, :name=>:bar, :attr=>{:name=>"foo"}).to_s.must_equal '<input name="foo" type="text"/>'
   end
@@ -644,7 +664,7 @@ describe "Forme plain forms" do
   end
 
   it "should format bigdecimals in standard notation" do
-    @f.tag(:div, :foo=>BigDecimal.new('10000.010')).to_s.must_equal '<div foo="10000.01"></div>'
+    @f.tag(:div, :foo=>BigDecimal('10000.010')).to_s.must_equal '<div foo="10000.01"></div>'
   end
 
   it "inputs should accept a :wrapper option to use a custom wrapper" do
@@ -1082,6 +1102,18 @@ describe "Forme object forms" do
   it "should be able to turn off obj handling per input using :obj=>nil option" do
     Forme::Form.new([:foo]).input(:checkbox, :name=>"foo", :hidden_value=>"no", :obj=>nil).to_s.must_equal '<input name="foo" type="hidden" value="no"/><input name="foo" type="checkbox"/>'
   end
+
+  it "should be able to change input type" do
+    Forme::Form.new([:foo]).input(:first, :type=>:email).to_s.must_equal  '<input id="first" name="first" type="email" value="foo"/>'
+  end
+
+  it "should not have default value for file input" do
+    Forme::Form.new([:foo]).input(:first, :type=>:file).to_s.must_equal  '<input id="first" name="first" type="file"/>'
+  end
+
+  it "should be able to set value for file input" do
+    Forme::Form.new([:foo]).input(:first, :type=>:file, :value=>"foo").to_s.must_equal  '<input id="first" name="first" type="file" value="foo"/>'
+  end
 end
 
 describe "Forme.form DSL" do

data/spec/rails_integration_spec.rb

@@ -23,7 +23,7 @@ class FormeRails < Rails::Application
   config.middleware.delete(ActionDispatch::ShowExceptions)
   config.middleware.delete(Rack::Lock)
   config.secret_key_base = 'foo'*15
-  config.secret_token = 'secret token'*15
+  config.secret_token = 'secret token'*15 if Rails.respond_to?(:version) && Rails.version < '5.2' 
   config.eager_load = true
   initialize!
 end

data/spec/roda_integration_spec.rb

@@ -5,41 +5,115 @@ require File.join(File.dirname(File.expand_path(__FILE__)), 'erb_helper.rb')
 require 'rubygems'
 begin
   require 'roda'
-  require 'rack/csrf'
+  require 'tilt'
 rescue LoadError
-  warn "unable to load roda or rack/csrf, skipping roda spec"
+  warn "unable to load roda or tilt, skipping roda specs"
 else
 begin
-  require 'tilt/erubis'
+  require 'tilt/erubi'
 rescue LoadError
-  require 'tilt/erb'
   begin
-    require 'erubis'
+    require 'tilt/erubis'
   rescue LoadError
-    require 'erb'
+    require 'tilt/erb'
   end
 end
+
 class FormeRodaTest < Roda
-  plugin :forme
   use Rack::Session::Cookie, :secret => "__a_very_long_string__"
-  use Rack::Csrf
 
   def erb(s, opts={})
     render(opts.merge(:inline=>s))
   end
 
   route do |r|
+    r.get 'use_request_specific_token', :use do |use|
+      render :inline=>"[#{Base64.strict_encode64(send(:csrf_secret))}]<%= form({:method=>:post}, {:use_request_specific_token=>#{use == '1'}}) %>"
+    end
+    r.get 'hidden_tags' do |use|
+      render :inline=>"<%= form({:method=>:post}, {:hidden_tags=>[{:foo=>'bar'}]}) %>"
+    end
+    r.get 'csrf', :use do |use|
+      render :inline=>"<%= form({:method=>:post}, {:csrf=>#{use == '1'}}) %>"
+    end
     instance_exec(r, &ERB_BLOCK)
   end
 end
 
-describe "Forme Roda ERB integration" do
+begin
+  require 'rack/csrf'
+rescue LoadError
+  warn "unable to load rack/csrf, skipping roda csrf plugin spec"
+else
+describe "Forme Roda ERB integration with roda forme and csrf plugins" do
+  app = FormeRodaCSRFTest = Class.new(FormeRodaTest)
+  app.plugin :csrf
+  app.plugin :forme
+  
   def sin_get(path)
     s = String.new
-    FormeRodaTest.app.call(@rack.merge('PATH_INFO'=>path))[2].each{|str| s << str}
+    FormeRodaCSRFTest.app.call(@rack.merge('PATH_INFO'=>path))[2].each{|str| s << str}
     s.gsub(/\s+/, ' ').strip
   end
 
   include FormeErbSpecs
 end
 end
+
+begin
+  require 'roda/plugins/route_csrf'
+rescue LoadError
+  warn "unable to load roda/plugins/route_csrf, skipping forme_route_csrf plugin spec"
+else
+[{}, {:require_request_specific_tokens=>false}].each do |plugin_opts|
+  describe "Forme Roda ERB integration with roda forme_route_csrf and route_csrf plugin with #{plugin_opts}" do
+    app = Class.new(FormeRodaTest)
+    app.plugin :forme_route_csrf
+    app.plugin :route_csrf, plugin_opts
+
+    define_method(:sin_get) do |path|
+      s = String.new
+      app.call(@rack.merge('PATH_INFO'=>path))[2].each{|str| s << str}
+      s.gsub(/\s+/, ' ').strip
+    end
+
+    include FormeErbSpecs
+
+    it "should handle the :hidden_tags option" do
+      output = sin_get('/use_request_specific_token/1')
+      output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
+      secret = $1
+      token = $2
+      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/1', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal true
+      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/2', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal false
+    end
+
+    it "should handle the :use_request_specific_token => true option" do
+      output = sin_get('/use_request_specific_token/1')
+      output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
+      secret = $1
+      token = $2
+      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/1', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal true
+      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/2', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal false
+    end
+
+    it "should handle the :use_request_specific_token => false option" do
+      output = sin_get('/use_request_specific_token/0')
+      output =~ /\[([^\]]+)\].*?value=\"([^\"]+)\"/
+      secret = $1
+      token = $2
+      app.new({'SCRIPT_NAME'=>'', 'PATH_INFO'=>'/use_request_specific_token/0', 'REQUEST_METHOD'=>'POST', 'rack.session'=>{'_roda_csrf_secret'=>secret}, 'rack.input'=>StringIO.new}).valid_csrf?(:token=>token).must_equal(plugin_opts.empty? ? false : true)
+    end
+
+    it "should handle the :hidden_tags option" do
+      sin_get('/hidden_tags').must_include 'name="foo" type="hidden" value="bar"'
+    end
+
+    it "should handle the :csrf option" do
+      sin_get('/csrf/1').must_include '<input name="_csrf" type="hidden" value="'
+      sin_get('/csrf/0').wont_include '<input name="_csrf" type="hidden" value="'
+    end
+  end
+end
+end
+end

data/spec/sequel_plugin_spec.rb

@@ -43,6 +43,10 @@ describe "Forme Sequel::Model forms" do
     @b.input(:name, :type=>:textarea).to_s.must_equal '<label>Name: <textarea id="album_name" name="album[name]">b</textarea></label>'
     @c.input(:name, :type=>:textarea).to_s.must_equal '<label>Name: <textarea id="album_name" name="album[name]">c</textarea></label>'
   end
+
+  it "should not include labels for hidden inputs" do
+    @b.input(:name, :type=>:hidden).to_s.must_equal '<input id="album_name" name="album[name]" type="hidden" value="b"/>'
+  end
   
   it "should use number inputs for integers" do
     @b.input(:copies_sold).to_s.must_equal '<label>Copies sold: <input id="album_copies_sold" name="album[copies_sold]" type="number" value="10"/></label>'
@@ -61,6 +65,10 @@ describe "Forme Sequel::Model forms" do
     @b.input(:created_at).to_s.must_equal '<label>Created at: <input id="album_created_at" name="album[created_at]" type="datetime-local" value="2011-06-05T00:00:00.000"/></label>'
   end
 
+  it "should use file inputs without value" do
+    @b.input(:name, :type=>:file).to_s.must_equal '<label>Name: <input id="album_name" name="album[name]" type="file"/></label>'
+  end
+
   it "should include type as wrapper class" do
     @ab.values[:created_at] = DateTime.new(2011, 6, 5)
     f = Forme::Form.new(@ab, :wrapper=>:li)

data/spec/spec_helper.rb

@@ -2,7 +2,7 @@ $:.unshift(File.join(File.dirname(File.dirname(File.expand_path(__FILE__))), 'li
 
 if ENV['WARNING']
   require 'warning'
-  Warning.ignore(:missing_ivar)
+  Warning.ignore([:missing_ivar, :not_reached])
 end
 
 if ENV['COVERAGE']
@@ -11,4 +11,8 @@ if ENV['COVERAGE']
 end
 
 require 'forme'
+
+require 'rubygems'
+ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
+gem 'minitest'
 require 'minitest/autorun'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: forme
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-07 00:00:00.000000000 Z
+date: 2018-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -158,6 +158,7 @@ files:
 - lib/forme.rb
 - lib/forme/bs3.rb
 - lib/forme/erb.rb
+- lib/forme/erb_form.rb
 - lib/forme/form.rb
 - lib/forme/input.rb
 - lib/forme/rails.rb
@@ -173,6 +174,7 @@ files:
 - lib/forme/transformers/wrapper.rb
 - lib/forme/version.rb
 - lib/roda/plugins/forme.rb
+- lib/roda/plugins/forme_route_csrf.rb
 - lib/sequel/plugins/forme.rb
 - lib/sequel/plugins/forme_i18n.rb
 - lib/sequel/plugins/forme_set.rb
@@ -219,7 +221,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: HTML forms library