Rails request forgery protection settings

Posted by Vitaly on Stack Overflow See other posts from Stack Overflow or by Vitaly
Published on 2010-04-27T21:01:36Z Indexed on 2010/04/27 21:03 UTC
Read the original article Hit count: 458

Hey,

please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class.

Basically here's the code:

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time
  protect_from_forgery
  helper_method :current_user_session, :current_user
  filter_parameter_logging :password, :password_confirmation

What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)!

$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });

I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about request