Skip to content

Instantly share code, notes, and snippets.

@mitio
Created November 16, 2010 18:57
Show Gist options
  • Save mitio/702272 to your computer and use it in GitHub Desktop.
Save mitio/702272 to your computer and use it in GitHub Desktop.
Small helper to allow generating forms without authenticity_token (when you have protect_from_forgery globally active).
# lib/forgery_protection_helpers.rb
module ForgeryProtectionHelpers
def without_forgery_protection
return unless block_given? && respond_to?(:controller)
original_value = controller.allow_forgery_protection
controller.allow_forgery_protection = false
result = yield
controller.allow_forgery_protection = original_value
result
end
end
# app/application_controller.rb
class ApplicationController
protect_from_forgery
helper ForgeryProtectionHelpers
end
# app/views/foo/form.html.erb
<% without_forgery_protection do %>
<% form_for ... %>
<!-- no authentisity token hidden field will be added to this form -->
<% end %>
<% end %>
@mitio
Copy link
Author

mitio commented Nov 17, 2010

Long story short, I needed to make a form to a third-party service, using form_tag, but without that authenticity_token parameter in the form (it was breaking stuff on the third-party service — you don't want to know why...)

@skanev
Copy link

skanev commented Nov 17, 2010

Fair enough. I would consider not using form_for, but going with vanilla text_field_tag, though. I think it sends a better message to the reader.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment