On Monday, August 20, 2012 5:47:11 PM UTC+1, Johnny wrote:
Running ruby 1.9.3 and Rails 3.2.8.
I feel like I’m not fully understanding how CSRF works.
protect_from_forgery in my ApplicationController.
So, now should all non-GET requests require an authentication token?
Yes (unless you explicitly skip the before filter that does that
Specifically, I have a
destroymethod that doesn’t seem to care if a
token is present or not.
(I can submit a curl request in terminal, and it doesn’t balk.)
What happens? The default action when the token is missing or invalid is
reset the session (to clear your credentials. there is also a hook for
libraries like devise to zap their credential storage) and then continue
processing the request. Given that CSRF is about using a users
without them knowing it, then if the action didn’t require
in the first place it is considered ok. You can overwrite
the handle_unverified_request if you want to change this (for example
could restore the rails 2.x behaviour which was to raise an exception)
Does being in development have something to do with it