How do I secure this post request to Rails?
I'm trying to work out security for my AJAX calls. I've got a jQuery post call which deletes a note. From what I've read, it seems that I need to use protect_from_forgery
to ensure that the post is coming from a valid user.
This is what I have so far
application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery
...
index.html
$.post('../delete_note',{id:$('#note_id').val()}, function(da开发者_StackOverflow社区ta) {
});
note_controller.rb
def delete_note
y params
render :text => "success"
end
At the moment, the post request gets run by Rails, even though I'm not sending any security token with it. What do I need to do secure the call?
I'm using Rails 3.0.1 and devise for user management.
You probably want to ensure the user is signed in, using in your note controller something like:
before_filter :authenticate_member!, :except => [:index]
Additionally, check if the user has the rights to delete the note, for that you want to use a authorization solution like cancan.
精彩评论