On Monday, August 20, 2012 5:47:11 PM UTC+1, Johnny wrote: > > Running ruby 1.9.3 and Rails 3.2.8. > > I feel like I'm not fully understanding how CSRF works. > > I have `protect_from_forgery` in my ApplicationController. > > So, now should all non-GET requests require an authentication token? > Yes (unless you explicitly skip the before filter that does that verification)
> Specifically, I have a `destroy`method that doesn't seem to care if a > token is present or not. > (I can submit a curl request in terminal, and it doesn't balk.) > What happens? The default action when the token is missing or invalid is to reset the session (to clear your credentials. there is also a hook for libraries like devise to zap their credential storage) and then continue processing the request. Given that CSRF is about using a users credentials without them knowing it, then if the action didn't require authentication in the first place it is considered ok. You can overwrite the handle_unverified_request if you want to change this (for example you could restore the rails 2.x behaviour which was to raise an exception) > Does being in development have something to do with it > No Fred > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/T_RdwIfNAxAJ. For more options, visit https://groups.google.com/groups/opt_out.
