Reputation: 2256
Rails CSRF Countermeasures on Users edit and update
I'm setting up security on my Rails App according to the Ruby on Rails Guide.
My understanding is that the 'edit' method in the Users Controller (which I'm using to render my User settings view) should only be submitting a GET request, and that the 'update' method is submitting the POST request. But when I want to verify the types of requests for different methods like this:
#UsersController
verify :method => :post, :only => [:update], :redirect_to => {:action => :show}
the app doesn't save any of changes made to user settings. And if I change the verification to
verify :method => :post, :only => [:update, :edit], :redirect_to => {:action => :show}
I can't even render the settings view.
StackOverflow is usually great at educating me on areas I don't know much about, anyone know what could be going on?
Upvotes: 1
Views: 136
Answers (1)
Reputation: 23317
You're close, but a little off. Here are the seven RESTful routes, and what method they use:
- index: GET
- show: GET
- new: GET
- create: POST
- edit: GET
- update: PUT
- destroy: DELETE
As you can see, updating requires a PUT. It's creating that uses POST. This should fix it:
verify :method => :put, :only => [:update], :redirect_to => {:action => :show}
Upvotes: 1
Related Questions
- Override the protect_from_forgery strategy in a controller
- protect_from_forgery in Rails 6?
- Correct use of protect_from_forgery in Rails app serving Web and API
- Turn on request forgery protection with or witout Rails's protect_from_forgery?
- Protect API with CSRF token or other authentication
- CSRF Clarification (Rails)
- How to make sure Rails API is secured from CSRF?
- How to avoid BREACH attacks in rails?
- How does Rails CSRF protection work?
- CSRF protection and cross site form access