On 6 August 2010 19:42, Lille <[email protected]> wrote: > Hi, > > I'm using authentication with a :before_filter for controller actions > I want to restrict. I see that I'll want to authenticate GET request > actions, but what about PUT, DELETE, POST requests? Can anyone 'get' > to these latter requests if all GET requests on a resource are > authenticated? In this same vein, how about covering ajax actions?
I think all actions should be protected. Assume that any action url and request type can be generated by a hacker. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
