[LRUG] How to *not* add an authenticity token to a form

Murray Steele murray.steele at gmail.com
Thu Jul 23 04:33:36 PDT 2009


2009/7/23 Taryn East <teast at globalpersonals.co.uk>

> Ah sorry - you're right. I got "protect_against_forgery? mixed up with
> "protect_from_forgery" (similar names are confusing).
> great - curiosity sated ;)
>

I dug deeper and it turns out we're both right.  If you're rendering a get
you never get an auth token, if you're rendering a post you'll get a auth
token depending the result of protect_against_forgery?, any other method and
you'll always get an auth token.

Sounds like someone should wrap that up into a patch as it seems
inconsistent at best.

Muz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20090723/76fdd9f8/attachment-0003.html>


More information about the Chat mailing list