Menu
Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token?
I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds.
My ApplicationController does have 'request_forgery_protection' and I've changed
config.action_controller.consider_all_requests_local
to false in my environments/development.rb
I've also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens.
Is there some mechanism in play that disables the check? Now I'm not sure if my CSRF protection is working or not.
I'm using Rails 2.3.5.
Update for clarity:
function voteup(url, groupid){
$.ajax({
type: "POST",
url: "/groups/" + groupid + "/submissions/voteup",
data: "url=" + url,
dataType: 'text',
success: function(data){
var counter = "vote_" + url;
$('#vote_' + url.cleanify()).text(" " + data + " ");
}
});
};
I have a link which then has a 'href that calls the above function:
<a href='javascript:voteup(param1,param2)'>...</a>
436
A likely scenario here is that you're using jQuery to serialize a normal Rails form... and it is including in that the serialized auth token hidden field (Rails adds them to all forms).
Look at your generated source for the form you're submitting... it's likely you'll see
<input name="authenticity_token" type="hidden" value="somethinghere...." />
The other thing you can do is check the log to see if the authenticity_token field is in the request params.
97
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
