Darren
Reputation: 3059
Overiding request.forgery_whitelisted?
When a certain method is called in one of my Rails controllers I would like to check if the IP address of the user is on a trusted list, and if so override the request.forgery_whitelisted? method to be true so that CSRF protection isn't enforced.
A blog post I have read seems to suggest that declaring the following in the controller action would achieve this but it still throws a CSRF protection error.
if request.remote_ip = "127.0.0.1"
def request.forgery_whitelisted?; true; end
end
Is there somewhere else this needs to happen in order to override the method early enough for it to take effect?
Upvotes: 0
Views: 194
Answers (1)
Anton Rogov
Reputation: 189
either of the following should work:
- override/monkey-patch 'verify_authenticity_token' method in your ApplicationController:
def verify_authenticity_token
super unless request.remote_ip = '127.0.0.1' # TODO: replace this with actual white-listing logic
end
- monkey-patch 'forgery_whitelisted?' method:
module ActionDispatch
class Request
def forgery_whitelisted?
super if remote_ip == '127.0.0.1' # TODO: replace this with actual white-listing logic
end
end
end
Upvotes: 1
Related Questions
- protect_from_forgery with: :exception rails 5
- 'protect_from_forgery' in Application controller in Rails
- Turn on request forgery protection with or witout Rails's protect_from_forgery?
- rails protect_from_forgery raises with exception
- Rails 3 protect_from_forgery not working correctly?
- CSRF Protection with HTTP GET requests in Rails
- rails 3 protect_from_forgery not doing anything
- Rails 3 protect_from_forgery problems
- Rails request forgery protection settings
- Rails choking on the content of this request because of protect_from_forgery