<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>How about this in your session controller (assuming restful).</div><div><br></div>def protect_against_forgery?<div> super unless [:new, :create].include? params[:action]</div><div>end</div><div><br></div><div>(you don't need the skip_filter with this solution either)</div><div><br></div><div>all untested. Good luck to ya!</div><div><br></div><div><div><div>On 23 Jul 2009, at 11:54, Taryn East wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><br><div class="gmail_quote">2009/7/23 Murray Steele <span dir="ltr"><<a href="mailto:murray.steele@gmail.com">murray.steele@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <br><br><div class="gmail_quote"><div class="im">2009/7/23 Taryn East <span dir="ltr"><<a href="mailto:teast@globalpersonals.co.uk" target="_blank">teast@globalpersonals.co.uk</a>></span><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hi all,<div class="im"><br><br>Is there no way to render a form without the authenticity token? No other ideas?<br> </div></blockquote><div><br>The bit that controls when an auth token are rendered is protect_against_forgery? a helper method which relies on the class level allow_forgery_protection variable. So on a controller level you could probably do this:<br> <br>class IDontCareAboutNoForgeryController < ApplicationController<br> self.allow_forgery_protection = false<br>end<br><br>However, I can imagine that you might want the controller to care about forgery protection if auth tokens are provided, but in certain actions not actually bother with rendering an auth token. I don't think you can selectively include helpers in actions, so you might have to do some before_filter helper fu (or just use a separate controller for rendering the un-auth-token-generating-forms).</div> </div></blockquote><div><br>I thought so too... but from looking into the source code "allow forgery protection" is just another way of calling the <b>verify_authenticity_token</b> filter (you can see it here:<a href="http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery">http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery</a>) .<br> <br>It doesn't actually stop the token from being rendered into the form for that action (I checked).<br><br>I'm now simply curious about whether or not there is actually a way to not render the authenticity token... regardless of the actual application of said token. Is there a way of telling rails "don't render the token in this form/action" and having it actually obey... short of hacking into core?<br> <br><br></div></div>Cheers,<br>Taryn<br> _______________________________________________<br>Chat mailing list<br><a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br>http://lists.lrug.org/listinfo.cgi/chat-lrug.org<br></blockquote></div><br></div></body></html>