add session option to protection, fixes #601

sinatra · Feb 26, 2013 · 5aa1c7c · 5aa1c7c
1 parent 8a0020b
commit 5aa1c7c
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/CHANGES b/CHANGES
@@ -73,6 +73,9 @@
  * Setting status code to 404 in error handler no longer triggers not_found
    handler. (Konstantin Haase)
 
+ * The `protection` option now takes a `session` key for force
+   disabling/enabling session based protections. (Konstantin Haase)
+
  * Improve documentation. (Kashyap, Stanislav Chistenko, Zachary Scott, 
    Anthony Accomazzo, Peter Suschlik, Rachel Mehl, ymmtmsys, Anurag Priyam,
    burningTyger, Tony Miller, akicho8, Vasily Polovnyov, Markus Prinz,

diff --git a/README.md b/README.md
@@ -1845,6 +1845,15 @@ You can also hand in an array in order to disable a list of protections:
     set :protection, :except => [:path_traversal, :session_hijacking]
 ```
 
+By default, Sinatra will only set up session based protection if `:sessions`
+has been enabled. Sometimes you want to set up sessions on your own, though. In
+that case you can get it to set up session based protections by passing the `:session` option:
+
+```ruby
+    use Rack::Session::Pool
+    set :protection, :session => true
+```
+
 ### Available Settings
 
 <dl>

diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
@@ -1590,8 +1590,9 @@ def setup_custom_logger(builder)
       def setup_protection(builder)
         return unless protection?
         options = Hash === protection ? protection.dup : {}
+        protect_session  = options.fetch(:session) { sessions? }
         options[:except] = Array options[:except]
-        options[:except] += [:session_hijacking, :remote_token] unless sessions?
+        options[:except] += [:session_hijacking, :remote_token] unless protect_session
         options[:reaction] ||= :drop_session
         builder.use Rack::Protection, options
       end

diff --git a/test/settings_test.rb b/test/settings_test.rb
@@ -557,5 +557,26 @@ def use(middleware, *)
         assert !MiddlewareTracker.used.include?(Rack::Protection::PathTraversal)
       end
     end
+
+    it 'sets up RemoteToken if sessions are enabled' do
+      MiddlewareTracker.track do
+        Sinatra.new { enable :sessions }.new
+        assert_include MiddlewareTracker.used, Rack::Protection::RemoteToken
+      end
+    end
+
+    it 'does not set up RemoteToken if sessions are disabled' do
+      MiddlewareTracker.track do
+        Sinatra.new.new
+        assert !MiddlewareTracker.used.include?(Rack::Protection::RemoteToken)
+      end
+    end
+
+    it 'sets up RemoteToken if it is configured to' do
+      MiddlewareTracker.track do
+        Sinatra.new { set :protection, :session => true }.new
+        assert_include MiddlewareTracker.used, Rack::Protection::RemoteToken
+      end
+    end
   end
 end