Home/ Questions/Q 858739
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T08:34:57+00:00

Is there any provisions in rails that would allow all AJAX POST requests from

  • 0

Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token?

I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds.

My ApplicationController does have ‘request_forgery_protection’ and I’ve changed

config.action_controller.consider_all_requests_local

to false in my environments/development.rb

I’ve also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens.

Is there some mechanism in play that disables the check? Now I’m not sure if my CSRF protection is working or not.

I’m using Rails 2.3.5.

Update for clarity:

function voteup(url, groupid){
      $.ajax({
        type: "POST",
        url: "/groups/" + groupid + "/submissions/voteup",
        data: "url=" + url,
        dataType: 'text',
        success: function(data){
          var counter = "vote_" + url;
          $('#vote_' + url.cleanify()).text(" " + data + " ");
        }
      });
    };

I have a link which then has a ‘href that calls the above function:

<a href='javascript:voteup(param1,param2)'>...</a>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A likely scenario here is that you’re using jQuery to serialize a normal Rails form… and it is including in that the serialized auth token hidden field (Rails adds them to all forms).

    Look at your generated source for the form you’re submitting… it’s likely you’ll see

    <input name="authenticity_token" type="hidden" value="somethinghere...." />

    The other thing you can do is check the log to see if the authenticity_token field is in the request params.

    • 0