Rails request forgery protection settings
        Posted  
        
            by Vitaly
        on Stack Overflow
        
        See other posts from Stack Overflow
        
            or by Vitaly
        
        
        
        Published on 2010-04-27T21:01:36Z
        Indexed on 
            2010/04/27
            21:03 UTC
        
        
        Read the original article
        Hit count: 524
        
Hey,
please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class. 
Basically here's the code:
class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time
  protect_from_forgery
  helper_method :current_user_session, :current_user
  filter_parameter_logging :password, :password_confirmation
What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)!
$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });
I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?
© Stack Overflow or respective owner