Reputation: 29787
How do I secure this post request to Rails?
I'm trying to work out security for my AJAX calls. I've got a jQuery post call which deletes a note. From what I've read, it seems that I need to use protect_from_forgery to ensure that the post is coming from a valid user.
This is what I have so far
application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery
...
index.html
$.post('../delete_note',{id:$('#note_id').val()}, function(data) {
});
note_controller.rb
def delete_note
y params
render :text => "success"
end
At the moment, the post request gets run by Rails, even though I'm not sending any security token with it. What do I need to do secure the call?
I'm using Rails 3.0.1 and devise for user management.
Upvotes: 2
Views: 882
Answers (1)
Reputation: 6436
You probably want to ensure the user is signed in, using in your note controller something like:
before_filter :authenticate_member!, :except => [:index]
Additionally, check if the user has the rights to delete the note, for that you want to use a authorization solution like cancan.
Upvotes: 3
Related Questions
- Can't verify CSRF token authenticity! RAILS API with POST
- Rails: Can't verify CSRF token authenticity when making a POST request
- Rails post can't verify CSRF token authenticity
- Rails authenticity token (CSRF) provided but being refused
- Rails4 - How to receive and send JSON data securely through Ajax and store it?
- How do I make a POST request from one rails app to another?
- Rails and ajax request: not using csrf working?
- Doing AJAX Post in rails without passing in the authenticity_token
- rails how to give data to ajax in a secure way?
- My jquery AJAX POST requests works without sending an Authenticity Token (Rails)