<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Module: ActionController::RequestForgeryProtection</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <link rel="stylesheet" href="../.././rdoc-style.css" type="text/css" media="screen" /> <script type="text/javascript"> // <![CDATA[ function popupCode( url ) { window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400") } function toggleCode( id ) { if ( document.getElementById ) elem = document.getElementById( id ); else if ( document.all ) elem = eval( "document.all." + id ); else return false; elemStyle = elem.style; if ( elemStyle.display != "block" ) { elemStyle.display = "block" } else { elemStyle.display = "none" } return true; } // Make codeblocks hidden by default document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" ) // ]]> </script> </head> <body> <div id="classHeader"> <table class="header-table"> <tr class="top-aligned-row"> <td><strong>Module</strong></td> <td class="class-name-in-header">ActionController::RequestForgeryProtection</td> </tr> <tr class="top-aligned-row"> <td><strong>In:</strong></td> <td> <a href="../../files/lib/action_controller/request_forgery_protection_rb.html"> lib/action_controller/request_forgery_protection.rb </a> <br /> </td> </tr> </table> </div> <!-- banner header --> <div id="bodyContent"> <div id="contextContent"> </div> <div id="method-list"> <h3 class="section-bar">Methods</h3> <div class="name-list"> <a href="#M000147">form_authenticity_token</a> <a href="#M000143">included</a> <a href="#M000148">protect_against_forgery?</a> <a href="#M000146">verifiable_request_format?</a> <a href="#M000145">verified_request?</a> <a href="#M000144">verify_authenticity_token</a> </div> </div> </div> <!-- if includes --> <div id="section"> <div id="class-list"> <h3 class="section-bar">Classes and Modules</h3> Module <a href="RequestForgeryProtection/ClassMethods.html" class="link">ActionController::RequestForgeryProtection::ClassMethods</a><br /> </div> <!-- if method_list --> <div id="methods"> <h3 class="section-bar">Public Class methods</h3> <div id="method-M000143" class="method-detail"> <a name="M000143"></a> <div class="method-heading"> <a href="RequestForgeryProtection.src/M000143.html" target="Code" class="method-signature" onclick="popupCode('RequestForgeryProtection.src/M000143.html');return false;"> <span class="method-name">included</span><span class="method-args">(base)</span> </a> </div> <div class="method-description"> </div> </div> <h3 class="section-bar">Protected Instance methods</h3> <div id="method-M000147" class="method-detail"> <a name="M000147"></a> <div class="method-heading"> <a href="RequestForgeryProtection.src/M000147.html" target="Code" class="method-signature" onclick="popupCode('RequestForgeryProtection.src/M000147.html');return false;"> <span class="method-name">form_authenticity_token</span><span class="method-args">()</span> </a> </div> <div class="method-description"> <p> Sets the token value for the current session. Pass a <tt>:secret</tt> option in <tt>protect_from_forgery</tt> to add a custom salt to the hash. </p> </div> </div> <div id="method-M000148" class="method-detail"> <a name="M000148"></a> <div class="method-heading"> <a href="RequestForgeryProtection.src/M000148.html" target="Code" class="method-signature" onclick="popupCode('RequestForgeryProtection.src/M000148.html');return false;"> <span class="method-name">protect_against_forgery?</span><span class="method-args">()</span> </a> </div> <div class="method-description"> </div> </div> <div id="method-M000146" class="method-detail"> <a name="M000146"></a> <div class="method-heading"> <a href="RequestForgeryProtection.src/M000146.html" target="Code" class="method-signature" onclick="popupCode('RequestForgeryProtection.src/M000146.html');return false;"> <span class="method-name">verifiable_request_format?</span><span class="method-args">()</span> </a> </div> <div class="method-description"> </div> </div> <div id="method-M000145" class="method-detail"> <a name="M000145"></a> <div class="method-heading"> <a href="RequestForgeryProtection.src/M000145.html" target="Code" class="method-signature" onclick="popupCode('RequestForgeryProtection.src/M000145.html');return false;"> <span class="method-name">verified_request?</span><span class="method-args">()</span> </a> </div> <div class="method-description"> <p> Returns true or false if a request is verified. Checks: </p> <ul> <li>is the format restricted? By default, only HTML requests are checked. </li> <li>is it a GET request? Gets should be safe and idempotent </li> <li>Does the <a href="RequestForgeryProtection.html#M000147">form_authenticity_token</a> match the given token value from the params? </li> </ul> </div> </div> <div id="method-M000144" class="method-detail"> <a name="M000144"></a> <div class="method-heading"> <a href="RequestForgeryProtection.src/M000144.html" target="Code" class="method-signature" onclick="popupCode('RequestForgeryProtection.src/M000144.html');return false;"> <span class="method-name">verify_authenticity_token</span><span class="method-args">()</span> </a> </div> <div class="method-description"> <p> The actual before_filter that is used. Modify this to change how you handle unverified requests. </p> </div> </div> </div> </div> <div id="validator-badges"> <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p> </div> </body> </html>