forme 2.4.1 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60794aa5c742e3b40bacd043172a0e201358b944a653f3bd013bf8e6a254154b
-  data.tar.gz: ae16923653b5bb463f430735a57b1f710a3ccb53420b124f15b6a5e72f290c2e
+  metadata.gz: 79c0b3986af69becb74de866d9027eafb1af2b148056c60963e8c8c6af04ad3d
+  data.tar.gz: 8478ef6951317b7a33bf7c3b2630291bcd94bb94fcbb2820ef89d08c0addfaec
 SHA512:
-  metadata.gz: b3f915c5dd32938874513739d29a2f6c04365a1f636c2dc814ce2a17de07beb4a9c8000e4f40b112bb8d4198d005552dafcf0cbb957dc0ffa9e11c0b6b820f33
-  data.tar.gz: 5528741694ca0c36800ce9cacab5a7e764698da5c9c9f1e4bb17bfce9c9a0ba86a354a0e2eca14a9825b5ee792aa7dc5c62eb687b8d5a540fa7b2fea47220617
+  metadata.gz: c63cedc392288fba47d26da036ed2ad145acf4493683600cbad71238f66fd61dfeb91cadc1db68ab2211ff3cf6cd69622f17934f9ea0be4e4006a53c2baa0a07
+  data.tar.gz: ef4a1d7b5bfdd0dc83d5f52b87f8dbc0785f03ccdfdb8d7e1bdfe160e85636fc2165fae7916489c8d22ba082293a64b3e0a466c67e4a4fe3a90726f4d228ffb1

data/CHANGELOG

@@ -1,3 +1,11 @@
+=== 2.5.0 (2024-02-13)
+
+* Add hidden inputs to work with formaction/formmethod support in Roda 3.77+ route_csrf plugin (jeremyevans)
+
+* Support :formaction option on buttons (jeremyevans)
+
+* Support emit: false option for non-rails template forms allowing block based form use without appending to template (jeremyevans)
+
 === 2.4.1 (2023-09-19)
 
 * Add dependency on bigdecimal, as bigdecimal is moving from standard library to bundled gem in Ruby 3.4 (jeremyevans)

data/README.rdoc

@@ -800,7 +800,7 @@ For new code, it is recommended to use forme_route_csrf, as that uses Roda's rou
 plugin, which supports more secure request-specific CSRF tokens.  In both cases, usage in ERB
 templates is the same:
 
-  <% form(@obj, :action=>'/foo') do |f| %>
+  <% form(@obj, action: '/foo') do |f| %>
     <%= f.input(:field) %>
     <% f.tag(:fieldset) do %>
       <%= f.input(:field_two) %>
@@ -810,6 +810,8 @@ templates is the same:
 The forme_route_csrf plugin's +form+ method supports the following options
 in addition to the default +Forme.form+ options:
 
+:emit :: Set to false to not emit implicit tags into template.  This should only be
+         used if you are not modifying the template inside the block.
 :csrf :: Set to force whether a CSRF tag should be included.  By default, a CSRF
          tag is included if the form's method is one of the request methods checked
          by the Roda route_csrf plugin.
@@ -818,6 +820,19 @@ in addition to the default +Forme.form+ options:
                                CSRF token unless the Roda route_csrf plugin has been
                                configured to support non-request specific tokens.
 
+The <tt>emit: false</tt> option allows you to do:
+
+  <%= form(@obj, {action: '/foo'}, emit: false) do |f|
+    f.input(:field)
+    f.tag(:fieldset) do
+      f.input(:field_two)
+    end
+  end %>
+
+This is useful if you are calling some method that calls +form+ with a block,
+where the resulting entire Forme::Forme object will be literalized into the
+template. The form will include the CSRF token and forme_set metadata as appropriate.
+
 The forme plugin does not require any csrf plugin, but will transparently use
 Rack::Csrf if it is available. If Rack::Csrf is available a CSRF tag if the form's
 method is +POST+, with no configuration ability.
@@ -856,7 +871,8 @@ It allows you to use the following API in your erb templates:
   <% end %>
 
 In order to this to work transparently, the ERB outvar needs to be <tt>@_out_buf</tt> (this is the
-default in Sinatra).
+default in Sinatra).  The Sinatra extension also supports the <tt>emit: false</tt> option to not
+directly modify the related template (see example in the Roda section for usage).
 
 = Rails Support
 

data/lib/forme/template.rb

@@ -72,9 +72,9 @@ module Forme
       private
 
       def _forme_form(obj, attr, opts, &block)
-        if block_given?
+        if block && opts[:emit] != false
           erb_form = buffer = offset = nil
-          block = proc do
+          form_block = proc do
             wrapped_form = erb_form.instance_variable_get(:@form)
             buffer = wrapped_form.to_s
             offset = buffer.length
@@ -83,9 +83,9 @@ module Forme
             offset = buffer.length
           end
 
-          f, attr, block = _forme_wrapped_form_class.form_args(obj, attr, opts, &block)
+          f, attr, form_block = _forme_wrapped_form_class.form_args(obj, attr, opts, &form_block)
           erb_form = _forme_form_class.new(f, self)
-          erb_form.form(attr, &block)
+          erb_form.form(attr, &form_block)
           erb_form.emit(buffer[offset, buffer.length])
         else
           _forme_wrapped_form_class.form(obj, attr, opts, &block)

data/lib/forme/transformers/formatter.rb

@@ -268,6 +268,12 @@ module Forme
       ret
     end
 
+    # Formats a submit input.  Respects :formaction option.
+    def format_submit
+      copy_options_to_attributes([:formaction])
+      _format_input(:submit)
+    end
+
     # Formats a textarea.  Respects the following options:
     # :value :: Sets value as the child of the textarea.
     def format_textarea

data/lib/forme/version.rb

@@ -6,11 +6,11 @@ module Forme
   MAJOR = 2
 
   # The minor version of Forme, updated for new feature releases of Forme.
-  MINOR = 4
+  MINOR = 5
 
   # The patch version of Forme, updated only for bug fixes from the last
   # feature release.
-  TINY = 1
+  TINY = 0
 
   # Version constant, use <tt>Forme.version</tt> instead.
   VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze

data/lib/roda/plugins/forme_erubi_capture.rb

@@ -33,8 +33,8 @@ class Roda
       end
 
       module InstanceMethods
-        def form(*)
-          if block_given?
+        def _forme_form(obj, attr, opts, &block)
+          if block && opts[:emit] != false
             capture_erb do
               super
               instance_variable_get(render_opts[:template_opts][:outvar])

data/lib/roda/plugins/forme_route_csrf.rb

@@ -36,7 +36,7 @@ class Roda
           end
 
           if apply_csrf
-            token = if opts.fetch(:use_request_specific_token){use_request_specific_csrf_tokens?}
+            token = if use_request_specific_token = opts.fetch(:use_request_specific_token){use_request_specific_csrf_tokens?}
               csrf_token(csrf_path(attr[:action]), method)
             else
               csrf_token
@@ -46,6 +46,23 @@ class Roda
             opts[:_before] = lambda do |form|
               form.tag(:input, :type=>:hidden, :name=>csrf_field, :value=>token)
             end
+
+            if use_request_specific_token && (formaction_field = csrf_options[:formaction_field])
+              formactions = opts[:formactions] = []
+              formaction_tokens = opts[:formaction_tokens] = {}
+              _after = opts[:_after]
+              opts[:formaction_csrfs] = [formaction_field, formaction_tokens]
+              formaction_field = csrf_options[:formaction_field]
+              opts[:_after] = lambda do |form|
+                formactions.each do |action, method|
+                  path = csrf_path(action)
+                  fa_token = csrf_token(path, method)
+                  formaction_tokens[path] = fa_token
+                  form.tag(:input, :type=>:hidden, :name=>"#{formaction_field}[#{path}]", :value=>fa_token)
+                end
+                _after.call(form) if _after
+              end
+            end
           end
         end
       end

data/lib/roda/plugins/forme_set.rb

@@ -102,7 +102,9 @@ class Roda
         def _forme_form_options(obj, attr, opts)
           super
 
+          _after = opts[:_after]
           opts[:_after] = lambda do |form|
+            _after.call(form) if _after
             if (obj = form.opts[:obj]) && obj.respond_to?(:forme_inputs) && (forme_inputs = obj.forme_inputs)
               columns = []
               valid_values = {}
@@ -129,6 +131,9 @@ class Roda
               data['columns'] = columns
               data['namespaces'] = form.opts[:namespace]
               data['csrf'] = form.opts[:csrf]
+              if (formactions = form.opts[:formaction_csrfs]) && !formactions[1].empty?
+                data['formaction_csrfs'] = formactions
+              end
               data['valid_values'] = valid_values unless valid_values.empty?
               data['form_version'] = form.opts[:form_version] if form.opts[:form_version]
 
@@ -154,8 +159,16 @@ class Roda
 
           data = JSON.parse(data)
           csrf_field, hmac_csrf_value = data['csrf']
+          formaction_csrf_field, formaction_values = data['formaction_csrfs']
+
           if csrf_field
-            csrf_value = params[csrf_field].to_s
+            formaction_params = params[formaction_csrf_field]
+            if formaction_csrf_field && (formaction_params = params[formaction_csrf_field]).is_a?(Hash) && (csrf_value = formaction_params[request.path])
+              hmac_csrf_value = formaction_values[request.path]
+            else
+              csrf_value = params[csrf_field].to_s
+            end
+
             hmac_csrf_value = hmac_csrf_value.to_s
             unless Rack::Utils.secure_compare(csrf_value.ljust(hmac_csrf_value.length), hmac_csrf_value) && csrf_value.length == hmac_csrf_value.length
               return _forme_parse_error(:csrf_mismatch, obj)

data/lib/sequel/plugins/forme.rb

@@ -17,6 +17,22 @@ module Sequel # :nodoc:
       # that use a <tt>Sequel::Model</tt> instance as the form's
       # +obj+.
       module SequelForm
+        # If the form has the :formactions option and the button has the
+        # formaction option or attribute, append the action and method
+        # for this button to the formactions. This is used by the
+        # Roda forme_route_csrf and forme_set plugins so that formaction
+        # can work as expected.
+        def button(opts={})
+          if opts.is_a?(Hash) && (formactions = self.opts[:formactions]) &&
+              (formaction = opts[:formaction] || ((attr = opts[:attr]) && (attr[:formaction] || attr['formaction'])))
+            formmethod = opts[:formmethod] ||
+              ((attr = opts[:attr]) && (attr[:formmethod] || attr['formmethod'])) ||
+              ((attr = form_tag_attributes) && (attr[:method] || attr['method']))
+            formactions << [formaction, formmethod]
+          end
+          super
+        end
+
         # Use the post method by default for Sequel forms, unless
         # overridden with the :method attribute.
         def form(attr={}, &block)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: forme
 version: !ruby/object:Gem::Version
-  version: 2.4.1
+  version: 2.5.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-19 00:00:00.000000000 Z
+date: 2024-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bigdecimal
@@ -239,7 +239,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: HTML forms library