Rails request forgery protection settings
Posted
by Vitaly
on Stack Overflow
See other posts from Stack Overflow
or by Vitaly
Published on 2010-04-27T21:01:36Z
Indexed on
2010/04/27
21:03 UTC
Read the original article
Hit count: 458
Hey,
please help a newbie in Rails :) I have protect_from_forgery
call (which is given by default) with no attributes in my ApplicationController
class.
Basically here's the code:
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
protect_from_forgery
helper_method :current_user_session, :current_user
filter_parameter_logging :password, :password_confirmation
What I assume it should do is: it should prevent any POST requests without correct authenticity_token
. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)!
$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });
I see in console that there's no authenticity_token
among sent parameters, but request is still considered valid. Why is that?
© Stack Overflow or respective owner