views:

75

answers:

2

Hi,

I'm building a Flex 4 + Rails 2.3.5 application. First I was using XML to pass date through and I used to get an error complaining about Authenticity Token which I passed manually then to get through the error.

After that I re-factored my code to use RubyAmf which seems to be working but I didn't pass in the authenticity_token at first but I noticed that Rails didn't complain and the request went through. My app still have protect_from_forgery uncommented.

Does RubyAmf bypass that somehow?

Thanks,

Tam

+1  A: 

I believe forgery protection does not fire off for GET requests, only POSTS, DELETE and PUTs. Maybe the scenario you're testing is executing a GET request?

Jose Fernandez
With rubyamf I can send a POST requests
Tam
+1  A: 

Ruby AMF directly calls controller actions and returns the results after serializing to AMF. This is opposed to how a standard HTTP request works which goes through the router first.

camwest
forgery protection is fired off by the controller as a before_filter, shouldn't matter if the router called it or not
Jose Fernandez