[LRUG] How to *not* add an authenticity token to a form

Tom Lea lrug at tomlea.co.uk
Thu Jul 23 04:10:07 PDT 2009 

You probably need a to_sym in there.... but I left that as an exercise  
for the reader.

On 23 Jul 2009, at 12:06, Tom Lea wrote:

> How about this in your session controller (assuming restful).
>
> def protect_against_forgery?
>   super unless [:new, :create].include? params[:action]
> end
>
> (you don't need the skip_filter with this solution either)
>
> all untested. Good luck to ya!
>
> On 23 Jul 2009, at 11:54, Taryn East wrote:
>
>>
>> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>>
>>
>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>> Hi all,
>>
>>
>> Is there no way to render a form without the authenticity token? No  
>> other ideas?
>>
>> The bit that controls when an auth token are rendered is  
>> protect_against_forgery? a helper method which relies on the class  
>> level allow_forgery_protection variable.  So on a controller level  
>> you could probably do this:
>>
>> class IDontCareAboutNoForgeryController < ApplicationController
>>     self.allow_forgery_protection = false
>> end
>>
>> However, I can imagine that you might want the controller to care  
>> about forgery protection if auth tokens are provided, but in  
>> certain actions not actually bother with rendering an auth token.   
>> I don't think you can selectively include helpers in actions, so  
>> you might have to do some before_filter helper fu (or just use a  
>> separate controller for rendering the un-auth-token-generating- 
>> forms).
>>
>> I thought so too... but from looking into the source code "allow  
>> forgery protection" is just another way of calling the  
>> verify_authenticity_token filter (you can see it here:http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery) 
>>  .
>>
>> It doesn't actually stop the token from being rendered into the  
>> form for  that action (I checked).
>>
>> I'm now simply curious about whether or not there is actually a way  
>> to not render the authenticity token... regardless of the actual  
>> application of said token. Is there a way of telling rails "don't  
>> render the token in this form/action" and having it actually  
>> obey... short of hacking into core?
>>
>>
>> Cheers,
>> Taryn
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/6dd31f7a/attachment.html>

More information about the Chat mailing list