Methods
- form_authenticity_param
- form_authenticity_token
- included
- protect_against_forgery?
- verifiable_request_format?
- verified_request?
- verify_authenticity_token
Classes and Modules
Module ActionController::RequestForgeryProtection::ClassMethodsPublic Class methods
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 6 6: def self.included(base) 7: base.class_eval do 8: helper_method :form_authenticity_token 9: helper_method :protect_against_forgery? 10: end 11: base.extend(ClassMethods) 12: end
Protected Instance methods
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 95 95: def form_authenticity_param 96: params[request_forgery_protection_token] 97: end
Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 105 105: def form_authenticity_token 106: session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32) 107: end
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 109 109: def protect_against_forgery? 110: allow_forgery_protection && request_forgery_protection_token 111: end
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 99 99: def verifiable_request_format? 100: !request.content_type.nil? && request.content_type.verify_request? 101: end
Returns true or false if a request is verified. Checks:
- is the format restricted? By default, only HTML requests are checked.
- is it a GET request? Gets should be safe and idempotent
- Does the form_authenticity_token match the given token value from the params?
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 87 87: def verified_request? 88: !protect_against_forgery? || 89: request.method == :get || 90: request.xhr? || 91: !verifiable_request_format? || 92: form_authenticity_token == form_authenticity_param 93: end
The actual before_filter that is used. Modify this to change how you handle unverified requests.
[ show source ]
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 78 78: def verify_authenticity_token 79: verified_request? || raise(ActionController::InvalidAuthenticityToken) 80: end