RESTful request to Rails app using curl ignores AuthenticityToken
Is there any reason that AuthenticityToken would be ignored when executing a REST HTTP request using curl?
curl http://localhost:3000/Asset/9f3cb180-e410-11de-8a39-0800200c9a66.xml -X DELETE
The above will execute remove an Asset of the given ID from the database with no regards to what the AuthenticityToken is (usually nil).
class AssetsController < ApplicationController
protect_from_forgery :only => [:create, :update, :destroy]
#... More Rails Controller Code
def destroy
#destroy the Asset
end
^This is how the Assets controller read, clearly defining that destroy should be protected.
I have trie开发者_Python百科d sending delete requests vial Net::HTTP but they get rejected since they do not supply an AuthenticityToken. So, any idea why curl always seems to be successful at executing these HTTP requests?
Rails doesn't perform forgery protection for .xml requests: "...only non-GET, HTML/JavaScript requests are checked." http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
Maybe you need something like what's described here? http://www.hyperionreactor.net/blog/token-based-authentication-rails-3-and-rails-2
精彩评论