1

I am working on a custom CMS and i HAVE to include the implementation of forms as HTML in a content object. I guess you can see where it is going, i can't use the 'form' rails helper that would add an authenticity token and if i hard code it,i would not be able to update when it will change.

ps: My current solution is to turn off forgery_protection on the controller to form is pointing to.

EDIT:

Is it safe to add the authenticity_token with Js to any form that doesn't have one?

fenec
  • 5,637
  • 10
  • 56
  • 82
  • if you want to avoid it `protect_from_forgery except: :create` for that controller and this https://github.com/rails/rails/blob/e7feaff70f13b56a0507e9f4dfaf3ebc361cb8e6/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L266 is for make the token – Rajarshi Das Dec 22 '15 at 16:01
  • I don't think you need to switch off forgery protection - can you explain some more about these forms which you save, or whatever's happening? – Max Williams Dec 22 '15 at 16:01
  • @RajarshiDas i already did that, so it means that anybody can just post to that action and exploit the CSRF – fenec Dec 22 '15 at 16:16
  • 1
    You should have Rails generate a token for you and then have it injected in the form and/or the headers of future requests via JavaScript. – Mihai Dinculescu Dec 22 '15 at 16:23
  • @Mihai-AndreiDinculescu any tutorial that shows how it is done? i like the idea – fenec Dec 22 '15 at 17:24
  • That's really dependent on the stack that you're developing on. Here's a guide I've wrote for ASP.NET MVC & AngularJS: http://stackoverflow.com/questions/32460196/angularjs-web-api-antiforgerytoken-csrf. The steps should be the same for a different stack. – Mihai Dinculescu Dec 22 '15 at 20:11
  • The question has been tagged with RoR – fenec Dec 22 '15 at 20:12

0 Answers0