[LRUG] How to *not* add an authenticity token to a form
Chris Mear
chrismear at gmail.com
Thu Jul 23 04:16:30 PDT 2009
On 23 Jul 2009, at 11:54, Taryn East wrote:
> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>>> class IDontCareAboutNoForgeryController < ApplicationController
>>> self.allow_forgery_protection = false
>>> end
>>
>> I thought so too... but from looking into the source code "allow
>> forgery protection" is just another way of calling the
>> verify_authenticity_token filter (you can see it here:http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery)
>> .
>>
>> It doesn't actually stop the token from being rendered into the
>> form for that action (I checked).
I just tried this in a virgin Rails 2.3.3 app, and setting
allow_forgery_protection to false did indeed stop the authenticity
token being rendered (at least for a form_tag call). It's just a class
variable, which is simply checked by
ActionController
::RequestForgeryProtection::ClassMethods.protect_against_forgery?,
which is in turn called by
ActionView::Helpers::FormTagHelper.extra_tags_for_form when it's
rendering the form tag. So there might be something else sneaky going
on your app.
In the bigger scheme of things, what's wrong with just rendering some
random token in the form, and then ignoring it when the form is
submitted?
Chris
More information about the Chat
mailing list