I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax upload unless I turn off protect_from_forgery completely in application_controller.rb. Seems like the exception in my FileUpload controller (protect_from_forgery :except => :add_file) isn''t taking. Has anyone else experienced this. Should I report a bug or am I doing something wrong? Thanks in advance, Bryan -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Hey Bryan, please do report a bug on Lighthouse. Let''s get that fixed up for the next beta. Thanks! jeremy On Mon, Feb 8, 2010 at 7:24 PM, bshelton229 <bryan-HJOrXIUkwXUFmfSYYDvCVcyiEOaA11gU@public.gmane.org> wrote:> I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having > some trouble with protect_from_forgery. I had protect_from_forgery set > in application_controller.rb, but run some uploadify ajax stuff in one > of my controllers, where I had protect_from_forgery, :except > => :add_file set. > > In rails 3 I''m getting ActionController::InvalidAuthenticityToken on > the ajax upload unless I turn off protect_from_forgery completely in > application_controller.rb. Seems like the exception in my FileUpload > controller (protect_from_forgery :except => :add_file) isn''t taking. > > Has anyone else experienced this. Should I report a bug or am I doing > something wrong? > > Thanks in advance, > Bryan > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I''m experiencing the same issue when implementing Uploadify into a Rails 3.0.0.beta2 application. A comment and a question: 1) You shouldn''t need to disable protect_from_forgery for uploads if you pass your session data to Uploadify, then back to Rails when you do the upload. But for the time being, disabling protect_from_forgery is the only way I''ve been able to get Uploadify to work too. 2) In order to insert middleware in Rails 3, add the following to config/application.rb: config.middleware.insert_before(ActionDispatch::Session::CookieStore, FlashSessionCookieMiddleware, ActionController::Base.session[:key]) However, ActionController::Base.session[:key] is no longer where session information is stored. I''ve tried accessing it with it with Rails.application.config.session_store[:key], looked through the source and docs. How do you access the session data in Rails 3? Thanks, Patrick On Feb 8, 11:24 pm, bshelton229 <br...-HJOrXIUkwXUFmfSYYDvCVcyiEOaA11gU@public.gmane.org> wrote:> I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having > some trouble with protect_from_forgery. I had protect_from_forgery set > in application_controller.rb, but run someuploadifyajax stuff in one > of my controllers, where I had protect_from_forgery, :except > => :add_file set. > > In rails 3 I''m getting ActionController::InvalidAuthenticityToken on > the ajax upload unless I turn off protect_from_forgery completely in > application_controller.rb. Seems like the exception in my FileUpload > controller (protect_from_forgery :except => :add_file) isn''t taking. > > Has anyone else experienced this. Should I report a bug or am I doing > something wrong? > > Thanks in advance, > Bryan-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Chaps, Does anyone know if a bug got filed for this issue? Regards, Tom On Apr 9, 9:47 pm, berkelep <patrickberke...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I''m experiencing the same issue when implementing Uploadify into a > Rails 3.0.0.beta2 application. A comment and a question: > > 1) You shouldn''t need to disable protect_from_forgery for uploads if > you pass your session data to Uploadify, then back to Rails when you > do the upload. But for the time being, disabling protect_from_forgery > is the only way I''ve been able to get Uploadify to work too. > > 2) In order to insert middleware in Rails 3, add the following to > config/application.rb: > > config.middleware.insert_before(ActionDispatch::Session::CookieStore, > FlashSessionCookieMiddleware, ActionController::Base.session[:key]) > > However, ActionController::Base.session[:key] is no longer where > session information is stored. I''ve tried accessing it with it with > Rails.application.config.session_store[:key], looked through the > source and docs. > > How do you access the session data in Rails 3? > > Thanks, Patrick > > On Feb 8, 11:24 pm, bshelton229 <br...-HJOrXIUkwXUFmfSYYDvCVcyiEOaA11gU@public.gmane.org> > wrote: > > > > > I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having > > some trouble with protect_from_forgery. I had protect_from_forgery set > > in application_controller.rb, but run someuploadifyajax stuff in one > > of my controllers, where I had protect_from_forgery, :except > > => :add_file set. > > > In rails 3 I''m getting ActionController::InvalidAuthenticityToken on > > the ajax upload unless I turn off protect_from_forgery completely in > > application_controller.rb. Seems like the exception in my FileUpload > > controller (protect_from_forgery :except => :add_file) isn''t taking. > > > Has anyone else experienced this. Should I report a bug or am I doing > > something wrong? > > > Thanks in advance, > > Bryan-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No idea, sorry. Think I just ended up hacking the session key with a global variable. On 2010-05-18, Tom Williams <ceilingfish-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Chaps, > Does anyone know if a bug got filed for this issue? > > Regards, > Tom > > On Apr 9, 9:47 pm, berkelep <patrickberke...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> I''m experiencing the same issue when implementing Uploadify into a >> Rails 3.0.0.beta2 application. A comment and a question: >> >> 1) You shouldn''t need to disable protect_from_forgery for uploads if >> you pass your session data to Uploadify, then back to Rails when you >> do the upload. But for the time being, disabling protect_from_forgery >> is the only way I''ve been able to get Uploadify to work too. >> >> 2) In order to insert middleware in Rails 3, add the following to >> config/application.rb: >> >> config.middleware.insert_before(ActionDispatch::Session::CookieStore, >> FlashSessionCookieMiddleware, ActionController::Base.session[:key]) >> >> However, ActionController::Base.session[:key] is no longer where >> session information is stored. I''ve tried accessing it with it with >> Rails.application.config.session_store[:key], looked through the >> source and docs. >> >> How do you access the session data in Rails 3? >> >> Thanks, Patrick >> >> On Feb 8, 11:24 pm, bshelton229 <br...-HJOrXIUkwXUFmfSYYDvCVcyiEOaA11gU@public.gmane.org> >> wrote: >> >> >> >> > I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having >> > some trouble with protect_from_forgery. I had protect_from_forgery set >> > in application_controller.rb, but run someuploadifyajax stuff in one >> > of my controllers, where I had protect_from_forgery, :except >> > => :add_file set. >> >> > In rails 3 I''m getting ActionController::InvalidAuthenticityToken on >> > the ajax upload unless I turn off protect_from_forgery completely in >> > application_controller.rb. Seems like the exception in my FileUpload >> > controller (protect_from_forgery :except => :add_file) isn''t taking. >> >> > Has anyone else exp-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Reasonably Related Threads
- [HELP]No :secret given to the #protect_from_forgery call
- Is Rails 2.1 "protect_from_forgery" == csrf_killer plugin?
- protect_from_forgery doesnt protect from forgery
- config.action_controller.session[:secret] vs protect_from_forgery :secret
- protect_from_forgery development mode