Hi all,
Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token?
I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds.
My ApplicationController does have 'request_forgery_protection' and I've changed
config.action_controller.consider_all_requests_local
to false in my environments/development.rb
I've also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens.
Is there some mechanism in play that disables the check? Now I'm not sure if my CSRF protection is working or not.
I'm using Rails 2.3.5.
Update for clarity:
function voteup(url, groupid){
$.ajax({
type: "POST",
url: "/groups/" + groupid + "/submissions/voteup",
data: "url=" + url,
dataType: 'text',
success: function(data){
var counter = "vote_" + url;
$('#vote_' + url.cleanify()).text(" " + data + " ");
}
});
};
I have a link which then has a 'href that calls the above function:
<a href='javascript:voteup(param1,param2)'>...</a>