From 09edaf49646c14b6162726c1fb2bc0e980c3962f Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Mon, 2 May 2011 17:39:46 +0530 Subject: removed reference to verify method --- railties/guides/source/security.textile | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'railties/guides') diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 40fe764ae9..8c408ec06b 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -211,15 +211,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST ( If your web application is RESTful, you might be used to additional HTTP verbs, such as PUT or DELETE. Most of today‘s web browsers, however do not support them - only GET and POST. Rails uses a hidden +_method+ field to handle this barrier. -_(highlight)The verify method in a controller can make sure that specific actions may not be used over GET_. Here is an example to verify the use of the transfer action over POST. If the action comes in using any other verb, it redirects to the list action. - - -verify :method => :post, :only => [:transfer], :redirect_to => {:action => :list} - - -With this precaution, the attack from above will not work, because the browser sends a GET request for images, which will not be accepted by the web application. - -But this was only the first step, because _(highlight)POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request. +_(highlight)POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.