Protect your XHR actions (RoR)
(No Ratings Yet)
Loading ...Using XHR within Ruby on Rails is as easy as adding up 1 and 1. We use e.g. the link_to_remote helper and point it to a controllers action. The small problem here is that the XHR actions are all available publicly. So calling the action directly within the browser works as well. I say ’small’ problem because we cannot really prevent calling them directly but we can narrow the access only to XHR calls. We want to achieve that a common request to an XHR will fail. XHR actions will only be available if the request itself is an xhr?.
The solution with a bit of Rubyism: every xhr action needs to be postfixed with _xhr. If a calling request is not an xhr then we redirect the user the home url. For this we add a simple before_filter within our ApplicationController which will check all out actions. Here is the snippet… (more…)
FEED ME!
Michal: "Urs i would suggest you make use of the sortedlist from .net inside ASP (check..."
Urs: "Great work - but a small question back to the first comment: i hav2 “set RSSFeed1 =..."
Jake: "The login.asp didn’t work until I added [asp] page.DBConnection = true [/asp]"
Antony: "Hi there, Thankyou for your time and energy in creating, and making available, this..."
dave m: "looks nice Michal. If i may be so bold to inquire: what tool/method are you using to..."
david: "Wow, looks great man! really great idea. It would be good to know how ajaxed performs..."