On Monday, August 20, 2012 5:47:11 PM UTC+1, Johnny
wrote:>
> Running ruby 1.9.3 and Rails 3.2.8.
>
> I feel like I''m not fully understanding how CSRF works.
>
> I have `protect_from_forgery` in my ApplicationController.
>
> So, now should all non-GET requests require an authentication token?
>
Yes (unless you explicitly skip the before filter that does that
verification)
> Specifically, I have a `destroy`method that doesn''t seem to care
if a
> token is present or not.
> (I can submit a curl request in terminal, and it doesn''t balk.)
>
What happens? The default action when the token is missing or invalid is to
reset the session (to clear your credentials. there is also a hook for
libraries like devise to zap their credential storage) and then continue
processing the request. Given that CSRF is about using a users credentials
without them knowing it, then if the action didn''t require
authentication
in the first place it is considered ok. You can overwrite
the handle_unverified_request if you want to change this (for example you
could restore the rails 2.x behaviour which was to raise an exception)
> Does being in development have something to do with it
>
No
Fred
>
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/T_RdwIfNAxAJ.
For more options, visit https://groups.google.com/groups/opt_out.