Add verification to scaffolds (generated and reflection based). Require POST for unsafe actions [Michael Koziarski]. Closes #2601

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@3864 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2026-04-26 03:00:59 -04:00 · 2006-03-14 01:57:12 +00:00
parent e9d6fea533
commit c6abe81b1e
6 changed files with 19 additions and 2 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*

+* Add Verification to scaffolds.   Prevent destructive actions using GET [Michael Koziarski]
+
 * Avoid hitting the filesystem when using layouts by using a File.directory? cache. [Stefan Kaes, Nicholas Seckar]

 * Simplify ActionController::Base#controller_path [Nicholas Seckar]
--- a/actionpack/lib/action_controller/scaffolding.rb
+++ b/actionpack/lib/action_controller/scaffolding.rb
@@ -98,6 +98,11 @@ module ActionController
        end
        
        module_eval <<-"end_eval", __FILE__, __LINE__
+          
+          verify :method=>:post, :only=>[:destroy#{suffix}, :create#{suffix}, :update#{suffix}],
+                 :redirect_to=>{:action=>:list#{suffix}}
+          
+        
          def list#{suffix}
            @#{singular_name}_pages, @#{plural_name} = paginate :#{plural_name}, :per_page => 10
            render#{suffix}_scaffold "list#{suffix}"
--- a/actionpack/lib/action_controller/templates/scaffolds/list.rhtml
+++ b/actionpack/lib/action_controller/templates/scaffolds/list.rhtml
@@ -14,7 +14,7 @@
  <% end %>
    <td><%= link_to "Show", :action => "show#{@scaffold_suffix}", :id => entry %></td>
    <td><%= link_to "Edit", :action => "edit#{@scaffold_suffix}", :id => entry %></td>
-    <td><%= link_to "Destroy", {:action => "destroy#{@scaffold_suffix}", :id => entry}, {:confirm => "Are you sure?"} %></td>
+    <td><%= link_to "Destroy", {:action => "destroy#{@scaffold_suffix}", :id => entry}, {:confirm => "Are you sure?", :post=>true} %></td>
  </tr>
 <% end %>
 </table>
--- a/railties/CHANGELOG
+++ b/railties/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*

+* Add verification to generated scaffolds,  don't allow get for unsafe actions [Michael Koziarski]
+
 * Don't replace application.js in public/javascripts if it already exists [Cody Fauser]

 * Change test:uncommitted to delay execution of `svn status` by using internal Rake API's. [Nicholas Seckar]
--- a/railties/lib/rails_generator/generators/components/scaffold/templates/controller.rb
+++ b/railties/lib/rails_generator/generators/components/scaffold/templates/controller.rb
@@ -11,6 +11,14 @@ class <%= controller_class_name %>Controller < ApplicationController
  end

 <% end -%>
+
+  # GET should only be used for operations which are 'safe', or read-only. So require
+  # post for all actions which change state.
+  #  
+  # http://www.w3.org/2001/tag/doc/whenToUseGet.html
+  verify :method=>:post, :only=>[:destroy<%= suffix %>, :create<%= suffix %>, :update<%= suffix %>],
+         :redirect_to=> {:action=>:list<%= suffix %>}
+
  def list<%= suffix %>
    @<%= singular_name %>_pages, @<%= plural_name %> = paginate :<%= plural_name %>, :per_page => 10
  end
--- a/railties/lib/rails_generator/generators/components/scaffold/templates/view_list.rhtml
+++ b/railties/lib/rails_generator/generators/components/scaffold/templates/view_list.rhtml
@@ -14,7 +14,7 @@
  <%% end %>
    <td><%%= link_to 'Show', :action => 'show<%= suffix %>', :id => <%= singular_name %> %></td>
    <td><%%= link_to 'Edit', :action => 'edit<%= suffix %>', :id => <%= singular_name %> %></td>
-    <td><%%= link_to 'Destroy', { :action => 'destroy<%= suffix %>', :id => <%= singular_name %> }, :confirm => 'Are you sure?' %></td>
+    <td><%%= link_to 'Destroy', { :action => 'destroy<%= suffix %>', :id => <%= singular_name %> }, :confirm => 'Are you sure?', :post=>true %></td>
  </tr>
 <%% end %>
 </table>