[LRUG] How to *not* add an authenticity token to a form

Omar Qureshi omaraliqureshi at googlemail.com
Thu Jul 23 04:14:40 PDT 2009


I would second the use of fragment caching if there are bits of the form
that are particularly complex to work out, otherwise, I wouldn't (and
currently don't) bother.

On Thu, Jul 23, 2009 at 12:10 PM, Tom Lea <lrug at tomlea.co.uk> wrote:

> You probably need a to_sym in there.... but I left that as an exercise for
> the reader.
>
> On 23 Jul 2009, at 12:06, Tom Lea wrote:
>
> How about this in your session controller (assuming restful).
>
> def protect_against_forgery?  super unless [:new, :create].include?
> params[:action]
> end
>
> (you don't need the skip_filter with this solution either)
>
> all untested. Good luck to ya!
>
> On 23 Jul 2009, at 11:54, Taryn East wrote:
>
>
> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>
>>
>>
>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>>
>>> Hi all,
>>>
>>> Is there no way to render a form without the authenticity token? No other
>>> ideas?
>>>
>>
>> The bit that controls when an auth token are rendered is
>> protect_against_forgery? a helper method which relies on the class level
>> allow_forgery_protection variable.  So on a controller level you could
>> probably do this:
>>
>> class IDontCareAboutNoForgeryController < ApplicationController
>>     self.allow_forgery_protection = false
>> end
>>
>> However, I can imagine that you might want the controller to care about
>> forgery protection if auth tokens are provided, but in certain actions not
>> actually bother with rendering an auth token.  I don't think you can
>> selectively include helpers in actions, so you might have to do some
>> before_filter helper fu (or just use a separate controller for rendering the
>> un-auth-token-generating-forms).
>>
>
> I thought so too... but from looking into the source code "allow forgery
> protection" is just another way of calling the *verify_authenticity_token*filter (you can see it here:
> http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery)
> .
>
> It doesn't actually stop the token from being rendered into the form for
> that action (I checked).
>
> I'm now simply curious about whether or not there is actually a way to not
> render the authenticity token... regardless of the actual application of
> said token. Is there a way of telling rails "don't render the token in this
> form/action" and having it actually obey... short of hacking into core?
>
>
> Cheers,
> Taryn
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/4f2619da/attachment-0003.html>


More information about the Chat mailing list