Rails CSFR protection: is it corrent to write before_filter?

314 views Asked by At

My application controller looks like this:

class ApplicationController < ActionController::Base
  protect_from_forgery
  before_filter :check_csrf
  def check_csrf
    if not verified_request?
      redirect_to root_url, :error => "forgery protection"
      return
    end
  end
end

Without check_csrf, Rails writes warning to server console on bad responses, then execution continues as usually. So I had to write my own check_csrf. Now it works fine. Is it correct? Is there a simplier way to stop execution of bad request?

Rails version: 3.1.

1

There are 1 answers

0
Michał Simka On BEST ANSWER

I think you should override handle_unverified_request.

Something like that:

class ApplicationController < ActionController::Base
  protect_from_forgery

  protected
    def handle_unverified_request
      redirect_to root_url, :error => "forgery protection"
    end
end