[LRUG] How to *not* add an authenticity token to a form

[Taryn East]

Ah sorry - you're right. I got "protect_against_forgery? mixed up with
"protect_from_forgery" (similar names are confusing).
great - curiosity sated ;)

Cheers,
Taryn

2009/7/23 Chris Mear <chrismear at gmail.com>

> On 23 Jul 2009, at 11:54, Taryn East wrote:
>
>  2009/7/23 Murray Steele <murray.steele at gmail.com>
>>
>>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>>>
>>>> class IDontCareAboutNoForgeryController < ApplicationController
>>>>    self.allow_forgery_protection = false
>>>> end
>>>>
>>>
>>> I thought so too... but from looking into the source code "allow forgery
>>> protection" is just another way of calling the verify_authenticity_token
>>> filter (you can see it here:
>>> http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery
>>> ) .
>>>
>>> It doesn't actually stop the token from being rendered into the form for
>>>  that action (I checked).
>>>
>>
> I just tried this in a virgin Rails 2.3.3 app, and setting
> allow_forgery_protection to false did indeed stop the authenticity token
> being rendered (at least for a form_tag call). It's just a class variable,
> which is simply checked by
> ActionController::RequestForgeryProtection::ClassMethods.protect_against_forgery?,
> which is in turn called by
> ActionView::Helpers::FormTagHelper.extra_tags_for_form when it's rendering
> the form tag. So there might be something else sneaky going on your app.
>
> In the bigger scheme of things, what's wrong with just rendering some
> random token in the form, and then ignoring it when the form is submitted?
>
> Chris
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/8a508820/attachment.html>