[LRUG] How to *not* add an authenticity token to a form

Chris Mear chrismear at gmail.com
Thu Jul 23 04:16:30 PDT 2009


On 23 Jul 2009, at 11:54, Taryn East wrote:

> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>>> class IDontCareAboutNoForgeryController < ApplicationController
>>>     self.allow_forgery_protection = false
>>> end
>>
>> I thought so too... but from looking into the source code "allow  
>> forgery protection" is just another way of calling the  
>> verify_authenticity_token filter (you can see it here:http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery) 
>>  .
>>
>> It doesn't actually stop the token from being rendered into the  
>> form for  that action (I checked).

I just tried this in a virgin Rails 2.3.3 app, and setting  
allow_forgery_protection to false did indeed stop the authenticity  
token being rendered (at least for a form_tag call). It's just a class  
variable, which is simply checked by  
ActionController 
::RequestForgeryProtection::ClassMethods.protect_against_forgery?,  
which is in turn called by  
ActionView::Helpers::FormTagHelper.extra_tags_for_form when it's  
rendering the form tag. So there might be something else sneaky going  
on your app.

In the bigger scheme of things, what's wrong with just rendering some  
random token in the form, and then ignoring it when the form is  
submitted?

Chris




More information about the Chat mailing list