I have worked out how to disable the authenticity_token in the controller but rails still 开发者_运维百科creates the field in the forms. How do i turn this off as the server i am posting the form to needs a very specific set of field names.
In rails after 3.2.x you can pass a parameter into the form generator as suggested in another answer:
form_for @invoice, :url => external_url, :authenticity_token => false do |f|
...
<% end %>
In any rails version you can disable globally in config/application.rb, as in another answer:
config.action_controller.allow_forgery_protection = false
In rails 3.0.x you can disable on a page load basis in the controller by overriding the following method. Unfortunately, there seems to be no way to do this at the form level.
protected
def protect_against_forgery?
if ...
# results in the meta tag being ommitted and no forms having authenticity token
return false
else
# default implementation based on global config
return allow_forgery_protection
end
end
To disable it across your application, you can add this line to your config/application.rb:
config.action_controller.allow_forgery_protection = false
For external urls you can turn this of per form as follows:
<%= form_for @invoice, :url => external_url, :authenticity_token => false do |f|
...
<% end %>
Source: http://apidock.com/rails/ActionView/Helpers/FormHelper/form_for
精彩评论