Hey,

please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class.

Basically here's the code:

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time
  protect_from_forgery
  helper_method :current_user_session, :current_user
  filter_parameter_logging :password, :password_confirmation

What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)!

$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });

I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?