[LRUG] How to *not* add an authenticity token to a form

Murray Steele murray.steele at gmail.com
Thu Jul 23 04:07:24 PDT 2009 

2009/7/23 Taryn East <teast at globalpersonals.co.uk>

>
> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>
>
>>
>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>>
>>> Hi all,
>>>
>>> Is there no way to render a form without the authenticity token? No other
>>> ideas?
>>>
>>
>> The bit that controls when an auth token are rendered is
>> protect_against_forgery? a helper method which relies on the class level
>> allow_forgery_protection variable.  So on a controller level you could
>> probably do this:
>>
>> class IDontCareAboutNoForgeryController < ApplicationController
>>     self.allow_forgery_protection = false
>> end
>>
>> However, I can imagine that you might want the controller to care about
>> forgery protection if auth tokens are provided, but in certain actions not
>> actually bother with rendering an auth token.  I don't think you can
>> selectively include helpers in actions, so you might have to do some
>> before_filter helper fu (or just use a separate controller for rendering the
>> un-auth-token-generating-forms).
>>
>
> I thought so too... but from looking into the source code "allow forgery
> protection" is just another way of calling the *verify_authenticity_token*filter (you can see it here:
> http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery)
> .
>
> It doesn't actually stop the token from being rendered into the form for
> that action (I checked).
>
> I'm now simply curious about whether or not there is actually a way to not
> render the authenticity token... regardless of the actual application of
> said token. Is there a way of telling rails "don't render the token in this
> form/action" and having it actually obey... short of hacking into core?
>

Well, I know that in my tests I have a:

def protect_against_forgery?
  false
end

so that none of my forms are rendered with auth tokens (there's some reason
I didn't want certain tests to try and generate auth tokens, but I cant'
remember what it is).  So I'm fairly sure that providing a
protect_against_forgery? method that returns false gets you what you want.
It's just a case of making that method available only to the views where you
don't want auth tokens rendered.

Muz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/95edf868/attachment-0003.html>

More information about the Chat mailing list