You are right, if you keep on the security token, Rails will complain
about it and not allow your resources to be accessed.
So in order to create services that are supposed to be accessed by
anyone at anytime, the security token must be disactivated.
If you need to restrain access to a resource operation, REST
authentication and authorization is usually not done through (Rails
specific) security token. Devs will usually pick OAuth... there is
still a token in place but its a more well known approach.
What do you think?
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
I don't know about the curl, I believe it should not work on Rails
defaults. Can you try the following?
rails new test
cd test
rails g scaffold product
rake db:migrate
rails s &
sleep 5
curl http://localhost:3000/products -d "a=b"
Yes, most of the time we are using http authentication, oauth and
https. When using OAuth, you either implement your own OAuth provider
and satellite systems or just the satellite system connecting to the
provider you want to support (such as Twitter).
Do you need to do it in your current project?
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
Now thats weird! :)
Ok, gem versions maybe?
I've got
rails (3.0.3, 3.0.0)
Which one are you using? Ill install the same one and try again
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
I did not see where it makes the difference between API request/simple
request, I probably looked on the wrong method:
# Returns true or false if a request is verified. Checks:
#
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value
from the params?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
!protect_against_forgery? || request.get? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end
Is this the one?
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
2011/2/21 George Guimarães <george.g...@gmail.com>:
I was through another feature and came across the jquery plugin. They
use the a helper method to include the forgery protection tags, I
believe thats why they mention "javascript calls" as safe. Not that
anyone can make that call, but anyone who is using the rails 3 helper
(= only if you, yourself is doing the request within your server?).
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/