BJ Clark
2008-Apr-09 00:21 UTC
[Facebooker-talk] form_tag and form_for cause #protect_from_forgery errors
Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get Started.</h1> 2: <% form_for :user, user_path, :method => :post do |form| %> 3: <fb:editor-custom label="You are a"> 4: <label><%= radio_button_tag ''user_type'', ''student'', true %> Student</label> 5: <label><%= radio_button_tag ''user_type'', ''instructor'' %> Teacher</ label> vendor/rails/actionpack/lib/action_controller/ request_forgery_protection.rb:114:in `form_authenticity_token'' (eval):2:in `send'' (eval):2:in `form_authenticity_token'' vendor/rails/actionpack/lib/action_view/helpers/ form_tag_helper.rb:453:in `token_tag'' vendor/rails/actionpack/lib/action_view/helpers/ form_tag_helper.rb:430:in `extra_tags_for_form'' vendor/rails/actionpack/lib/action_view/helpers/ form_tag_helper.rb:438:in `form_tag_html'' vendor/rails/actionpack/lib/action_view/helpers/ form_tag_helper.rb:41:in `form_tag'' vendor/rails/actionpack/lib/action_view/helpers/form_helper.rb: 204:in `form_for'' app/views/users/new.fbml.erb:2:in `_run_erb_47app47views47users47new46fbml46erb'' I''ve got this in my application.rb: config.action_controller.session_store = :active_record_store config.action_controller.session = { :session_key => ''_app_session'', :secret => ''xxx'' } What''s the trick for getting around this? Thanks, BJ Clark
Jaime Bulmer
2008-Apr-09 00:24 UTC
[Facebooker-talk] form_tag and form_for cause #protect_from_forgery errors
Can''t remember the orginal writer of this but put in your /lib to disable forgery protection while in facebook. ActionController::RequestForgeryProtection.module_eval do alias :original_verify_authenticity_token :verify_authenticity_token def verify_authenticity_token(*args) if controller.params.include?(''fb_sig'') && controller.action == ''sekret_method'' # Pretend to call this before_filter. true else original_verify_authenticity_token(*args) end end end -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/facebooker-talk/attachments/20080408/7c0444f8/attachment.html
Mike Mangino
2008-Apr-09 01:06 UTC
[Facebooker-talk] form_tag and form_for cause #protect_from_forgery errors
If you generate an application with Rails 2.0, it will put the following section in environment.rb # Your secret key for verifying cookie session data integrity. # If you change this key, all old sessions will become invalid! # Make sure the secret is at least 30 characters and all random, # no regular words or you''ll be exposed to dictionary attacks. config.action_controller.session = { :session_key => ''_app_session'', :secret => ''longstring'' } just uncomment the secret and you should be good to go. Mike On Apr 8, 2008, at 7:21 PM, BJ Clark wrote:> Hey All, > > I''m trying to do a simple form_for (and I also get it with form_tag) > and I''m getting the following error: > > ActionView::TemplateError (No :secret given to the > #protect_from_forgery call. Set that or use a session store capable > of generating its own keys (Cookie Session Store).) on line #2 of > users/new.fbml.erb: > 1: <h1>Welcome To Courses, Let''s Get Started.</h1> > 2: <% form_for :user, user_path, :method => :post do |form| %> > 3: <fb:editor-custom label="You are a"> > 4: <label><%= radio_button_tag ''user_type'', ''student'', true %> > Student</label> > 5: <label><%= radio_button_tag ''user_type'', ''instructor'' %> > Teacher</ > label> > > vendor/rails/actionpack/lib/action_controller/ > request_forgery_protection.rb:114:in `form_authenticity_token'' > (eval):2:in `send'' > (eval):2:in `form_authenticity_token'' > vendor/rails/actionpack/lib/action_view/helpers/ > form_tag_helper.rb:453:in `token_tag'' > vendor/rails/actionpack/lib/action_view/helpers/ > form_tag_helper.rb:430:in `extra_tags_for_form'' > vendor/rails/actionpack/lib/action_view/helpers/ > form_tag_helper.rb:438:in `form_tag_html'' > vendor/rails/actionpack/lib/action_view/helpers/ > form_tag_helper.rb:41:in `form_tag'' > vendor/rails/actionpack/lib/action_view/helpers/form_helper.rb: > 204:in `form_for'' > app/views/users/new.fbml.erb:2:in > `_run_erb_47app47views47users47new46fbml46erb'' > > > I''ve got this in my application.rb: > config.action_controller.session_store = :active_record_store > config.action_controller.session = { > :session_key => ''_app_session'', > :secret => ''xxx'' > } > > > What''s the trick for getting around this? > > Thanks, > BJ Clark > > _______________________________________________ > Facebooker-talk mailing list > Facebooker-talk at rubyforge.org > http://rubyforge.org/mailman/listinfo/facebooker-talk-- Mike Mangino http://www.elevatedrails.com
BJ Clark
2008-Apr-09 16:28 UTC
[Facebooker-talk] form_tag and form_for cause #protect_from_forgery errors
Mike, My secret is not commented out. Is there any way to test this stuff in script/console? environment.rb: # Your secret key for verifying cookie session data integrity. # If you change this key, all old sessions will become invalid! # Make sure the secret is at least 30 characters and all random, # no regular words or you''ll be exposed to dictionary attacks. config.action_controller.session = { :session_key => ''_yyy_session'', :secret => ''xxx'' } # Use the database for sessions instead of the cookie-based default, # which shouldn''t be used to store highly confidential information # (create the session table with ''rake db:sessions:create'') config.action_controller.session_store = :active_record_store I''m not sure what''s up. Thanks, BJ Clark On Apr 8, 2008, at 7:06 PM, Mike Mangino wrote:> If you generate an application with Rails 2.0, it will put the > following section in environment.rb > > # Your secret key for verifying cookie session data integrity. > # If you change this key, all old sessions will become invalid! > # Make sure the secret is at least 30 characters and all random, > # no regular words or you''ll be exposed to dictionary attacks. > > config.action_controller.session = { > :session_key => ''_app_session'', > :secret => ''longstring'' > } > > just uncomment the secret and you should be good to go. > > Mike > > On Apr 8, 2008, at 7:21 PM, BJ Clark wrote: >> Hey All, >> >> I''m trying to do a simple form_for (and I also get it with form_tag) >> and I''m getting the following error: >> >> ActionView::TemplateError (No :secret given to the >> #protect_from_forgery call. Set that or use a session store capable >> of generating its own keys (Cookie Session Store).) on line #2 of >> users/new.fbml.erb: >> 1: <h1>Welcome To Courses, Let''s Get Started.</h1> >> 2: <% form_for :user, user_path, :method => :post do |form| %> >> 3: <fb:editor-custom label="You are a"> >> 4: <label><%= radio_button_tag ''user_type'', ''student'', true %> >> Student</label> >> 5: <label><%= radio_button_tag ''user_type'', ''instructor'' %> >> Teacher</ >> label> >> >> vendor/rails/actionpack/lib/action_controller/ >> request_forgery_protection.rb:114:in `form_authenticity_token'' >> (eval):2:in `send'' >> (eval):2:in `form_authenticity_token'' >> vendor/rails/actionpack/lib/action_view/helpers/ >> form_tag_helper.rb:453:in `token_tag'' >> vendor/rails/actionpack/lib/action_view/helpers/ >> form_tag_helper.rb:430:in `extra_tags_for_form'' >> vendor/rails/actionpack/lib/action_view/helpers/ >> form_tag_helper.rb:438:in `form_tag_html'' >> vendor/rails/actionpack/lib/action_view/helpers/ >> form_tag_helper.rb:41:in `form_tag'' >> vendor/rails/actionpack/lib/action_view/helpers/form_helper.rb: >> 204:in `form_for'' >> app/views/users/new.fbml.erb:2:in >> `_run_erb_47app47views47users47new46fbml46erb'' >> >> >> I''ve got this in my application.rb: >> config.action_controller.session_store = :active_record_store >> config.action_controller.session = { >> :session_key => ''_app_session'', >> :secret => ''xxx'' >> } >> >> >> What''s the trick for getting around this? >> >> Thanks, >> BJ Clark >> >> _______________________________________________ >> Facebooker-talk mailing list >> Facebooker-talk at rubyforge.org >> http://rubyforge.org/mailman/listinfo/facebooker-talk > > -- > Mike Mangino > http://www.elevatedrails.com > > >