Merge pull request rails#43417 from seanpdoyle/button-to-authenticity-token

button_to: Support `authenticity_token:` option

Author: guilleiguaran

actionview/CHANGELOG.md

@@ -1,3 +1,18 @@
+*   Add support for `button_to ..., authenticity_token: false`
+
+    ```ruby
+    button_to "Create", Post.new, authenticity_token: false
+    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button></form>
+
+    button_to "Create", Post.new, authenticity_token: true
+    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="abc123..." autocomplete="off" /></form>
+
+    button_to "Create", Post.new, authenticity_token: "secret"
+    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="secret" autocomplete="off" /></form>
+    ```
+
+    *Sean Doyle*
+
 *   Support rendering `<form>` elements _without_ `[action]` attributes by:
 
     * `form_with url: false` or `form_with ..., html: { action: false }`

actionview/lib/action_view/helpers/url_helper.rb

@@ -344,6 +344,8 @@ def button_to(name = nil, options = nil, html_options = nil, &block)
         remote = html_options.delete("remote")
         params = html_options.delete("params")
 
+        authenticity_token = html_options.delete("authenticity_token")
+
         method     = html_options.delete("method").to_s
         method_tag = BUTTON_TAG_METHOD_VERBS.include?(method) ? method_tag(method) : "".html_safe
 
@@ -356,7 +358,7 @@ def button_to(name = nil, options = nil, html_options = nil, &block)
 
         request_token_tag = if form_method == "post"
           request_method = method.empty? ? "post" : method
-          token_tag(nil, form_options: { action: url, method: request_method })
+          token_tag(authenticity_token, form_options: { action: url, method: request_method })
         else
           ""
         end
@@ -780,7 +782,12 @@ def method_not_get_method?(method)
 
         def token_tag(token = nil, form_options: {})
           if token != false && defined?(protect_against_forgery?) && protect_against_forgery?
-            token ||= form_authenticity_token(form_options: form_options)
+            token =
+              if token == true || token.nil?
+                form_authenticity_token(form_options: form_options.merge(authenticity_token: token))
+              else
+                token
+              end
             tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token, autocomplete: "off")
           else
             ""

actionview/test/template/url_helper_test.rb

@@ -150,6 +150,39 @@ def test_button_to_without_protect_against_forgery_method
     self.class.define_method(:protect_against_forgery?) { request_forgery }
   end
 
+  def test_button_to_with_authenticity_token
+    self.request_forgery = true
+
+    assert_dom_equal(
+      %{<form method="post" action="http://www.example.com" class="button_to"><button type="submit">Hello</button><input name="form_token" type="hidden" value="token" autocomplete="off" /></form>},
+      button_to("Hello", "http://www.example.com", authenticity_token: "token")
+    )
+  ensure
+    self.request_forgery = false
+  end
+
+  def test_button_to_with_authenticity_token_true
+    self.request_forgery = true
+
+    assert_dom_equal(
+      %{<form method="post" action="http://www.example.com" class="button_to"><button type="submit">Hello</button><input name="form_token" type="hidden" value="secret" autocomplete="off" /></form>},
+      button_to("Hello", "http://www.example.com", authenticity_token: true)
+    )
+  ensure
+    self.request_forgery = false
+  end
+
+  def test_button_to_with_authenticity_token_false
+    self.request_forgery = true
+
+    assert_dom_equal(
+      %{<form method="post" action="http://www.example.com" class="button_to"><button type="submit">Hello</button></form>},
+      button_to("Hello", "http://www.example.com", authenticity_token: false)
+    )
+  ensure
+    self.request_forgery = false
+  end
+
   def test_button_to_with_straight_url
     assert_dom_equal %{<form method="post" action="http://www.example.com" class="button_to"><button type="submit">Hello</button></form>}, button_to("Hello", "http://www.example.com")
   end