[LRUG] How to *not* add an authenticity token to a form

Taryn East teast at globalpersonals.co.uk
Thu Jul 23 04:26:51 PDT 2009


Well yes... that's what I'm really doing.
Again - this is a question out of curiosity rather than need. :)

Taryn

2009/7/23 Omar Qureshi <omaraliqureshi at googlemail.com>

> I would second the use of fragment caching if there are bits of the form
> that are particularly complex to work out, otherwise, I wouldn't (and
> currently don't) bother.
>
>
> On Thu, Jul 23, 2009 at 12:10 PM, Tom Lea <lrug at tomlea.co.uk> wrote:
>
>> You probably need a to_sym in there.... but I left that as an exercise for
>> the reader.
>>
>> On 23 Jul 2009, at 12:06, Tom Lea wrote:
>>
>> How about this in your session controller (assuming restful).
>>
>> def protect_against_forgery?  super unless [:new, :create].include?
>> params[:action]
>> end
>>
>> (you don't need the skip_filter with this solution either)
>>
>>  all untested. Good luck to ya!
>>
>> On 23 Jul 2009, at 11:54, Taryn East wrote:
>>
>>
>> 2009/7/23 Murray Steele <murray.steele at gmail.com>
>>
>>>
>>>
>>> 2009/7/23 Taryn East <teast at globalpersonals.co.uk>
>>>
>>>> Hi all,
>>>>
>>>> Is there no way to render a form without the authenticity token? No
>>>> other ideas?
>>>>
>>>
>>> The bit that controls when an auth token are rendered is
>>> protect_against_forgery? a helper method which relies on the class level
>>> allow_forgery_protection variable.  So on a controller level you could
>>> probably do this:
>>>
>>> class IDontCareAboutNoForgeryController < ApplicationController
>>>     self.allow_forgery_protection = false
>>> end
>>>
>>> However, I can imagine that you might want the controller to care about
>>> forgery protection if auth tokens are provided, but in certain actions not
>>> actually bother with rendering an auth token.  I don't think you can
>>> selectively include helpers in actions, so you might have to do some
>>> before_filter helper fu (or just use a separate controller for rendering the
>>> un-auth-token-generating-forms).
>>>
>>
>> I thought so too... but from looking into the source code "allow forgery
>> protection" is just another way of calling the *verify_authenticity_token
>> * filter (you can see it here:
>> http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery)
>> .
>>
>> It doesn't actually stop the token from being rendered into the form for
>> that action (I checked).
>>
>> I'm now simply curious about whether or not there is actually a way to not
>> render the authenticity token... regardless of the actual application of
>> said token. Is there a way of telling rails "don't render the token in this
>> form/action" and having it actually obey... short of hacking into core?
>>
>>
>> Cheers,
>> Taryn
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>>
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/4e6876f0/attachment-0003.html>


More information about the Chat mailing list