Forum: Rails-core (closed, excessive spam) protect_from_forgery? does not quite useful to tell whether a controller is protect against forgery

protect_from_forgery? does not quite useful to tell whether a controller is protect against forgery
Posted by iamawalrus@gmail.com (Guest)
on 2008-07-07 19:07
(Received via mailing list) 
For example, two controllers, one has protect_from_forgery and not.

Class A < ApplicationController
protect_from_forgery
...
end
Class B < ApplicationController
session :off
...
end

If I do not use cookie session or declare controller B as session off,
when I use link_to_remote in the views for B, I get a crash for
no :secret is given in B.

Currently, protect_against_forgery? is implemented as

def protect_against_forgery?
        allow_forgery_protection && request_forgery_protection_token
end

By default allow_forgery_protection is true and
request_forgery_protection_token is a cattr_accessor. So no matter
where protect_from_forgery is called once, protect_against_forgery?
will return true everywhere, which makes protect_against_forgery? not
quite useful to tell whether a controller is protect against forgery
or not.

I have proposed a fix at
http://rails.lighthouseapp.com/projects/8994-ruby-...
. Hope it help.
Edit | Move | Delete topic | Reply with quote
Enable email notification | Enable multi-page view
This topic is locked and can not be replied to.
Powered by RForum and Captchator. Contact information - E-Mail: webmaster (at) ruby-forum (dot) com.