[LRUG] How to *not* add an authenticity token to a form

Tom Lea lrug at tomlea.co.uk
Thu Jul 23 04:06:19 PDT 2009 

How about this in your session controller (assuming restful).

def protect_against_forgery?
   super unless [:new, :create].include? params[:action]
end

(you don't need the skip_filter with this solution either)

all untested. Good luck to ya!

On 23 Jul 2009, at 11:54, Taryn East wrote:

>
> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>
>
> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
> Hi all,
>
>
> Is there no way to render a form without the authenticity token? No  
> other ideas?
>
> The bit that controls when an auth token are rendered is  
> protect_against_forgery? a helper method which relies on the class  
> level allow_forgery_protection variable.  So on a controller level  
> you could probably do this:
>
> class IDontCareAboutNoForgeryController < ApplicationController
>     self.allow_forgery_protection = false
> end
>
> However, I can imagine that you might want the controller to care  
> about forgery protection if auth tokens are provided, but in certain  
> actions not actually bother with rendering an auth token.  I don't  
> think you can selectively include helpers in actions, so you might  
> have to do some before_filter helper fu (or just use a separate  
> controller for rendering the un-auth-token-generating-forms).
>
> I thought so too... but from looking into the source code "allow  
> forgery protection" is just another way of calling the  
> verify_authenticity_token filter (you can see it here:http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery) 
>  .
>
> It doesn't actually stop the token from being rendered into the form  
> for  that action (I checked).
>
> I'm now simply curious about whether or not there is actually a way  
> to not render the authenticity token... regardless of the actual  
> application of said token. Is there a way of telling rails "don't  
> render the token in this form/action" and having it actually obey...  
> short of hacking into core?
>
>
> Cheers,
> Taryn
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/94cbc3b1/attachment.html>

More information about the Chat mailing list