iamawalrus@gmail.com
2008-Jul-07 17:06 UTC
protect_from_forgery? does not quite useful to tell whether a controller is protect against forgery or not
For example, two controllers, one has protect_from_forgery and not.
Class A < ApplicationController
protect_from_forgery
...
end
Class B < ApplicationController
session :off
...
end
If I do not use cookie session or declare controller B as session off,
when I use link_to_remote in the views for B, I get a crash for
no :secret is given in B.
Currently, protect_against_forgery? is implemented as
def protect_against_forgery?
allow_forgery_protection && request_forgery_protection_token
end
By default allow_forgery_protection is true and
request_forgery_protection_token is a cattr_accessor. So no matter
where protect_from_forgery is called once, protect_against_forgery?
will return true everywhere, which makes protect_against_forgery? not
quite useful to tell whether a controller is protect against forgery
or not.
I have proposed a fix at
http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/555-protect_from_forgery-is-not-quite-class-wise
. Hope it help.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---