Heavy Sixer
2008-Mar-16 02:52 UTC
[Facebooker-talk] bypassing verify_authenticity_token before_filter when in facebook
Hi list,
Not sure if this is helpful for anyone but I am working on a Facebook
project where I need bypass the new CSRF protection (built into Rails
2.0) under certain conditions. However, since my project works
outside of Facebook I don?t want to disable the CSRF protection from
requests made outside of Facebook.
Here is a small extension i wrote for the ForgeryProtection module.
ActionController::RequestForgeryProtection.module_eval do
alias :original_verify_authenticity_token :verify_authenticity_token
def verify_authenticity_token(*args)
if controller.params.include?(''fb_sig'') &&
controller.action ==
''sekret_method''
# Pretend to call this before_filter.
true
else
original_verify_authenticity_token(*args)
end
end
end
I detailed the particulars for the how and why in a blog post incase
any of you are interested:
http://www.locusfoc.us/2008/3/16/if-you-can-t-beat-them-module_eval-
them-bypassing-the-verify_authenticity_token-before_filter
Later,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/facebooker-talk/attachments/20080315/3fd4cf8c/attachment.html
Possibly Parallel Threads
- skip_before_filter :verify_authenticity_token make session data not accessible.
- form_tag and form_for cause #protect_from_forgery errors
- InvalidAuthenticityToken when user adds application through facebook registration
- rspec-rails how to selectively turn on csrf protection for controller specs?
- before_filter work around
Wisdom of the Ancients
