[LRUG] How to *not* add an authenticity token to a form

Taryn East teast at globalpersonals.co.uk
Thu Jul 23 03:54:03 PDT 2009


2009/7/23 Murray Steele <murray.steele at gmail.com>

>
>
> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>
>> Hi all,
>>
>> Is there no way to render a form without the authenticity token? No other
>> ideas?
>>
>
> The bit that controls when an auth token are rendered is
> protect_against_forgery? a helper method which relies on the class level
> allow_forgery_protection variable.  So on a controller level you could
> probably do this:
>
> class IDontCareAboutNoForgeryController < ApplicationController
>     self.allow_forgery_protection = false
> end
>
> However, I can imagine that you might want the controller to care about
> forgery protection if auth tokens are provided, but in certain actions not
> actually bother with rendering an auth token.  I don't think you can
> selectively include helpers in actions, so you might have to do some
> before_filter helper fu (or just use a separate controller for rendering the
> un-auth-token-generating-forms).
>

I thought so too... but from looking into the source code "allow forgery
protection" is just another way of calling the
*verify_authenticity_token*filter (you can see it here:
http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery)
.

It doesn't actually stop the token from being rendered into the form for
that action (I checked).

I'm now simply curious about whether or not there is actually a way to not
render the authenticity token... regardless of the actual application of
said token. Is there a way of telling rails "don't render the token in this
form/action" and having it actually obey... short of hacking into core?


Cheers,
Taryn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/be37fd47/attachment-0003.html>


More information about the Chat mailing list