开发者

How do I secure this post request to Rails?

问答 作者:

I'm trying to work out security for my AJAX calls. I've got a jQuery post call which deletes a note. From what I've read, it seems that I need to use protect_from_forgery to ensure that the post is coming from a valid user.

This is what I have so far

application_controller.rb

class ApplicationController < ActionController::Base
  protect_from_forgery
...

index.html

$.post('../delete_note',{id:$('#note_id').val()}, function(da开发者_StackOverflow社区ta) {

});

note_controller.rb

def delete_note
    y params
    render :text => "success"
end

At the moment, the post request gets run by Rails, even though I'm not sending any security token with it. What do I need to do secure the call?

I'm using Rails 3.0.1 and devise for user management.

You probably want to ensure the user is signed in, using in your note controller something like:

before_filter :authenticate_member!, :except => [:index]

Additionally, check if the user has the rights to delete the note, for that you want to use a authorization solution like cancan.

继续阅读:csrfruby-on-railssecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9