Module: ActionController::RequestForgeryProtection::ClassMethods
- Defined in:
- actionpack/lib/action_controller/metal/request_forgery_protection.rb
Instance Method Summary collapse
-
#protect_from_forgery(options = {}) ⇒ Object
Turn on request forgery protection.
-
#skip_forgery_protection(options = {}) ⇒ Object
Turn off request forgery protection.
Instance Method Details
#protect_from_forgery(options = {}) ⇒ Object
Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
class ApplicationController < ActionController::Base
protect_from_forgery
end
class FooController < ApplicationController
protect_from_forgery except: :index
end
You can disable forgery protection on controller by skipping the verification before_action:
skip_before_action :verify_authenticity_token
Valid Options:
-
:only/:except
- Only apply forgery protection to a subset of actions. For exampleonly: [ :create, :create_all ]
. -
:if/:unless
- Turn off the forgery protection entirely depending on the passed Proc or method reference. -
:prepend
- By default, the verification of the authentication token will be added at the position of the protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).If you need to add verification to the beginning of the callback chain, use
prepend: true
. -
:with
- Set the method to handle unverified request.
Valid unverified request handling methods are:
-
:exception
- Raises ActionController::InvalidAuthenticityToken exception. -
:reset_session
- Resets the session. -
:null_session
- Provides an empty session during request but doesn’t reset it completely. Used as default if:with
option is not specified.
135 136 137 138 139 140 141 142 |
# File 'actionpack/lib/action_controller/metal/request_forgery_protection.rb', line 135 def protect_from_forgery( = {}) = .reverse_merge(prepend: false) self.forgery_protection_strategy = protection_method_class([:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token before_action :verify_authenticity_token, append_after_action :verify_same_origin_request end |
#skip_forgery_protection(options = {}) ⇒ Object
Turn off request forgery protection. This is a wrapper for:
skip_before_action :verify_authenticity_token
See skip_before_action
for allowed options.
149 150 151 |
# File 'actionpack/lib/action_controller/metal/request_forgery_protection.rb', line 149 def skip_forgery_protection( = {}) skip_before_action :verify_authenticity_token, end |