我制作了一个演示应用程序,rails new demo
然后生成了一个脚手架用户控制器rails generate scaffold User name:string email:string
。脚手架的代码有一个ApplicationController
with protect_from_forgery
,UserController
它派生自ApplicationController
.
我运行 webrick,添加用户,很酷。真实性令牌与 /users 上的 POST 一起使用。
然而,仍然使用 Rails 3.0.5 我能够做到:
niedakh@twettek-laptop:~$ telnet 10.0.0.4 3000
PUT /users/3 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
user[name]=vvvvv&user[email]=shiaus.pl
并在不提供令牌的情况下修改用户 3:
Started PUT "/users/3" for 10.0.0.4 at 2011-04-02 14:51:24 +0200
Processing by UsersController#update as HTML
Parameters: {"user"=>{"name"=>"vvvvv", "email"=>"shiaus.pl\r"}, "id"=>"3"}
User Load (0.3ms) SELECT "users".* FROM "users" WHERE "users"."id" = 3 LIMIT 1
', "updated_at" = '2011-04-02 12:51:24.437267' WHERE "users"."id" = 3s.pl
Redirected to http://10.0.0.4:3000/users/3
Completed 302 Found in 92ms
我也可以用 DELETE 做同样的事情:
DELETE /users/3 HTTP/1.1
这给了我:
Started DELETE "/users/3" for 10.0.0.4 at 2011-04-02 15:43:30 +0200
Processing by UsersController#destroy as HTML
Parameters: {"id"=>"3"}
SQL (0.7ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
User Load (0.3ms) SELECT "users".* FROM "users" WHERE "users"."id" = 3 LIMIT 1
AREL (0.5ms) DELETE FROM "users" WHERE "users"."id" = 3
Redirected to http://10.0.0.4:3000/users
Completed 302 Found in 180ms
您能否向我解释一下,当我从不随这些请求发送任何令牌时,为什么我可以做这些事情?