<div class="gmail_quote">2009/7/23 Taryn East <span dir="ltr"><<a href="mailto:teast@globalpersonals.co.uk">teast@globalpersonals.co.uk</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><div class="gmail_quote">2009/7/23 Murray Steele <span dir="ltr"><<a href="mailto:murray.steele@gmail.com" target="_blank">murray.steele@gmail.com</a>></span><div><div></div><div class="h5"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div class="gmail_quote"><div>2009/7/23 Taryn East <span dir="ltr"><<a href="mailto:teast@globalpersonals.co.uk" target="_blank">teast@globalpersonals.co.uk</a>></span><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi all,<div><br><br>Is there no way to render a form without the authenticity token? No other ideas?<br>
</div></blockquote><div><br>The bit that controls when an auth token are rendered is protect_against_forgery? a helper method which relies on the class level allow_forgery_protection variable. So on a controller level you could probably do this:<br>
<br>class IDontCareAboutNoForgeryController < ApplicationController<br> self.allow_forgery_protection = false<br>end<br><br>However, I can imagine that you might want the controller to care about forgery protection if auth tokens are provided, but in certain actions not actually bother with rendering an auth token. I don't think you can selectively include helpers in actions, so you might have to do some before_filter helper fu (or just use a separate controller for rendering the un-auth-token-generating-forms).</div>
</div></blockquote></div></div><div><br>I thought so too... but from looking into the source code "allow forgery protection" is just another way of calling the <b>verify_authenticity_token</b> filter (you can see it here:<a href="http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery" target="_blank">http://apidock.com/rails/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery</a>) .<br>
<br>It doesn't actually stop the token from being rendered into the form for that action (I checked).<br><br>I'm now simply curious about whether or not there is actually a way to not render the authenticity token... regardless of the actual application of said token. Is there a way of telling rails "don't render the token in this form/action" and having it actually obey... short of hacking into core?</div>
</div></blockquote><div><br>Well, I know that in my tests I have a:<br><br>def protect_against_forgery?<br> false<br>end<br><br>so that none of my forms are rendered with auth tokens (there's some reason I didn't want certain tests to try and generate auth tokens, but I cant' remember what it is). So I'm fairly sure that providing a protect_against_forgery? method that returns false gets you what you want. It's just a case of making that method available only to the views where you don't want auth tokens rendered.<br>
<br>Muz<br></div></div>