开发者

How do I secure this post request to Rails?

I'm trying to work out security for my AJAX calls. I've got a jQuery post call which deletes a note. From what I've read, it seems that I need to use protect_from_forgery to ensure that the post is coming from a valid user.

This is what I have so far

application_controller.rb

class ApplicationController < ActionController::Base
  protect_from_forgery
...

index.html

$.post('../delete_note',{id:$('#note_id').val()}, function(da开发者_StackOverflow社区ta) {

});

note_controller.rb

def delete_note
    y params
    render :text => "success"
end 

At the moment, the post request gets run by Rails, even though I'm not sending any security token with it. What do I need to do secure the call?

I'm using Rails 3.0.1 and devise for user management.


You probably want to ensure the user is signed in, using in your note controller something like:

before_filter :authenticate_member!, :except => [:index]

Additionally, check if the user has the rights to delete the note, for that you want to use a authorization solution like cancan.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜