[LRUG] How to *not* add an authenticity token to a form
Chris Mear
chrismear at gmail.com
Thu Jul 23 05:07:18 PDT 2009
On 23 Jul 2009, at 12:33, Murray Steele wrote:
> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
> Ah sorry - you're right. I got "protect_against_forgery? mixed up
> with "protect_from_forgery" (similar names are confusing).
> great - curiosity sated ;)
>
> I dug deeper and it turns out we're both right. If you're rendering
> a get you never get an auth token, if you're rendering a post you'll
> get a auth token depending the result of protect_against_forgery?,
> any other method and you'll always get an auth token.
>
> Sounds like someone should wrap that up into a patch as it seems
> inconsistent at best.
It does appear that way, but the token_tag method itself also checks
the protect_against_forgery? method. So it seems to be working as
expected, at least when I tested it quickly.
Chris
More information about the Chat
mailing list