[LRUG] How to *not* add an authenticity token to a form
Matthew Rudy Jacobs
matthewrudyjacobs at gmail.com
Thu Jul 23 03:23:26 PDT 2009
Well
2009/7/23 Taryn East <teast at globalpersonals.co.uk>
> 2009/7/23 Matthew Rudy Jacobs <matthewrudyjacobs at gmail.com>
>
>>
>> 2009/7/23 Craig Webster <craig at xeriom.net>
>>
>>> Have you tried turning off forgery protection just for the actions
>>> that you're not interested in protecting using `skip_before_filter
>>> :verify_authenticity_token`?
>>
>>
>> this seems to be the right thing.
>>
>> from the rails docs;
>> ==========
>> *verify_authenticity_token*()
>>
>> The actual before_filter that is used. Modify this to change how you
>> handle unverified requests.
>>
> Yes - this is the solution I mentioned in my post - I know you can turn off
> verification... but my question is - surely there's another way?
>
With "skip_before_filter" you can turn it off per action.
If you only requirement is to forget about authenticity tokens for the
"signup" page,
then,
this seems like your best bet,
unless you're going to ajax in an authenticity token
which is going to undo the benefit of caching in the first place?
>
>
>
>> When you say it seems like a nice place to cache, have you done any
>>> profiling? Will this actually give you a significant boost or does it
>>> just increase complexity?
>>
>>
> Nope - no profiling... this is idle speculation on what could-be... which
> is also interesting, IMO, even if lower priority than actual pain-points.
>
> Taryn
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/06a41b47/attachment-0003.html>
More information about the Chat
mailing list