Turning this protection off (with care and alternative protection measures, I suggest!) on specific actions is possible. This is an example.
protect_from_forgery :except => [:process_payment]
<
protect_from_forgery :except => [:process_payment]
<h2>Back to the shop....</h2>
<script type="text/javascript">
Event.observe(window, 'load', function() {
document.forms[0].submit();
});
</script>
<% form_tag @merchant.redirect_url, :method => :post do %>
<%= hidden_field_tag :paid, @paid %>
<%= hidden_field_tag :order_id, @payment.merchant_order_id %>
<% end %>
conditions = []
# Contains field has value
conditions << "(title LIKE '%#{params[:prod_search]}%' OR code LIKE #{params[:prod_search]}%')" unless params[:prod_search].empty?
# Non-offered selected
conditions << "id NOT IN (SELECT distinct(product_id) from shop_offers)" if params[:prod_filter] == "non_offered"
@products_avail = Product.find(:all, :conditions => conditions.join(" AND ")
<%= observe_field :month_date, :update => "list",
:before => "Element.show('spinner')",
:complete => "Element.hide('spinner')",
:url => {:action => :month_offers, :only_path => false},
:with => "Form.serializeElements($('month_date', 'year_date'))"
%>