Camilo Torres
2008-Mar-15 19:11 UTC
[rspec-users] [HELP]No :secret given to the #protect_from_forgery call
I am starting to BDD. When specing the controller I want to test for object creation: it "deberia crear una nueva persona en post create" do Usuario.should_receive(:create).with({:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}).and_return(@usuario) post ''create'', {:usuario => {:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}} end But when I add this spec, I start getting this: 1) ActionController::InvalidAuthenticityToken in ''UsuarioController deberia crear una nueva persona en post create'' No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). ./spec/controllers/usuario_controller_spec.rb:30: script/spec:4: This is the only failure. Line 30 is the post "create". I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in vendor/plugins/rspec/CHANGES). I searched google for solutions, found this: http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html then I added @controller.class.protect_from_forgery :secret => "secretkey" in the before(:each) method. I put the same secret key I found in environment.rb. But now it gives me: ActionController::InvalidAuthenticityToken I am lost. Why this happens? should not work just fine from the rails default configuration?. I have not changed anything in the environment.rb nor application.rb. This is just a new project to learn BDD and RoR. Thanks for any clue to get this to work.
Scott Taylor
2008-Mar-15 19:26 UTC
[rspec-users] [HELP]No :secret given to the #protect_from_forgery call
On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote:> I am starting to BDD. When specing the controller I want to test for > object creation: > > it "deberia crear una nueva persona en post create" do > Usuario.should_receive(:create).with({:nombre => "camilo", :clave > => "secreta", :tipo => "administrador"}).and_return(@usuario) > > post ''create'', {:usuario => {:nombre => "camilo", :clave => > "secreta", :tipo => "administrador"}} > end > > But when I add this spec, I start getting this: > 1) > ActionController::InvalidAuthenticityToken in ''UsuarioController > deberia crear una nueva persona en post create'' > No :secret given to the #protect_from_forgery call. Set that or use a > session store capable of generating its own keys (Cookie Session > Store). > ./spec/controllers/usuario_controller_spec.rb:30: > script/spec:4: > > This is the only failure. Line 30 is the post "create". > > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in > vendor/plugins/rspec/CHANGES). > > > I searched google for solutions, found this: > > http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html > > then I added > @controller.class.protect_from_forgery :secret => "secretkey" > in the before(:each) method. I put the same secret key I found in > environment.rb. But now it gives me: > ActionController::InvalidAuthenticityToken > > I am lost. Why this happens? should not work just fine from the rails > default configuration?. > > I have not changed anything in the environment.rb nor application.rb. > This is just a new project to learn BDD and RoR. Thanks for any clue > to get this to work. > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-usersI haven''t tried any of this, but here''s my guess: One way to get this to work is to stub out protect_from_forgery: controller.stub!(protect_from_forgery).and_return "foo" The better question is: why would you intentionally remove a security feature? Scott
Mike Vincent
2008-Mar-15 22:19 UTC
[rspec-users] [HELP]No :secret given to the #protect_from_forgery call
I presume the feature is well tested in rails and disable it in the test environment (which is done by default, I think). # in config/environments/test.rb # Disable request forgery protection in test environment config.action_controller.allow_forgery_protection = false -Mike On Sat, Mar 15, 2008 at 2:26 PM, Scott Taylor <mailing_lists at railsnewbie.com> wrote:> > > On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote: > > > I am starting to BDD. When specing the controller I want to test for > > object creation: > > > > it "deberia crear una nueva persona en post create" do > > Usuario.should_receive(:create).with({:nombre => "camilo", :clave > > => "secreta", :tipo => "administrador"}).and_return(@usuario) > > > > post ''create'', {:usuario => {:nombre => "camilo", :clave => > > "secreta", :tipo => "administrador"}} > > end > > > > But when I add this spec, I start getting this: > > 1) > > ActionController::InvalidAuthenticityToken in ''UsuarioController > > deberia crear una nueva persona en post create'' > > No :secret given to the #protect_from_forgery call. Set that or use a > > session store capable of generating its own keys (Cookie Session > > Store). > > ./spec/controllers/usuario_controller_spec.rb:30: > > script/spec:4: > > > > This is the only failure. Line 30 is the post "create". > > > > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in > > vendor/plugins/rspec/CHANGES). > > > > > > I searched google for solutions, found this: > > > > http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html > > > > then I added > > @controller.class.protect_from_forgery :secret => "secretkey" > > in the before(:each) method. I put the same secret key I found in > > environment.rb. But now it gives me: > > ActionController::InvalidAuthenticityToken > > > > I am lost. Why this happens? should not work just fine from the rails > > default configuration?. > > > > I have not changed anything in the environment.rb nor application.rb. > > This is just a new project to learn BDD and RoR. Thanks for any clue > > to get this to work. > > _______________________________________________ > > rspec-users mailing list > > rspec-users at rubyforge.org > > http://rubyforge.org/mailman/listinfo/rspec-users > > I haven''t tried any of this, but here''s my guess: > > One way to get this to work is to stub out protect_from_forgery: > > controller.stub!(protect_from_forgery).and_return "foo" > > The better question is: why would you intentionally remove a security > feature? > > Scott > > > > > > > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
Camilo Torres
2008-Mar-16 14:26 UTC
[rspec-users] [HELP]No :secret given to the #protect_from_forgery call
Thanks Mike, your comment lead me to the answer: I was using the development environment to make the tests. I didn''t realized there were some difference between the environments (not guessed it). When I started the project, I edited spec/spec_helper.rb (and also stories/helper.rb) and changed ENV["RAILS_ENV"] to "development", because I had only one DB user. Of course I can create as many DB users as I need, this is a development box... Now using the (right) ENV["RAILS_ENV"] = "test" and problem is solved. Thanks to Scott Taylor for the other comment. 2008/3/16, Mike Vincent <mike at vincent.ws>:> I presume the feature is well tested in rails and disable it in the > test environment (which is done by default, I think). > > # in config/environments/test.rb > # Disable request forgery protection in test environment > config.action_controller.allow_forgery_protection = false > > > -Mike > > > On Sat, Mar 15, 2008 at 2:26 PM, Scott Taylor > <mailing_lists at railsnewbie.com> wrote: > > > > > > On Mar 16, 2008, at 2:41 PM, Camilo Torres wrote: > > > > > I am starting to BDD. When specing the controller I want to test for > > > object creation: > > > > > > it "deberia crear una nueva persona en post create" do > > > Usuario.should_receive(:create).with({:nombre => "camilo", :clave > > > => "secreta", :tipo => "administrador"}).and_return(@usuario) > > > > > > post ''create'', {:usuario => {:nombre => "camilo", :clave => > > > "secreta", :tipo => "administrador"}} > > > end > > > > > > But when I add this spec, I start getting this: > > > 1) > > > ActionController::InvalidAuthenticityToken in ''UsuarioController > > > deberia crear una nueva persona en post create'' > > > No :secret given to the #protect_from_forgery call. Set that or use a > > > session store capable of generating its own keys (Cookie Session > > > Store). > > > ./spec/controllers/usuario_controller_spec.rb:30: > > > script/spec:4: > > > > > > This is the only failure. Line 30 is the post "create". > > > > > > I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in > > > vendor/plugins/rspec/CHANGES). > > > > > > > > > I searched google for solutions, found this: > > > > > > http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html > > > > > > then I added > > > @controller.class.protect_from_forgery :secret => "secretkey" > > > in the before(:each) method. I put the same secret key I found in > > > environment.rb. But now it gives me: > > > ActionController::InvalidAuthenticityToken > > > > > > I am lost. Why this happens? should not work just fine from the rails > > > default configuration?. > > > > > > I have not changed anything in the environment.rb nor application.rb. > > > This is just a new project to learn BDD and RoR. Thanks for any clue > > > to get this to work. > > > _______________________________________________ > > > rspec-users mailing list > > > rspec-users at rubyforge.org > > > http://rubyforge.org/mailman/listinfo/rspec-users > > > > I haven''t tried any of this, but here''s my guess: > > > > One way to get this to work is to stub out protect_from_forgery: > > > > controller.stub!(protect_from_forgery).and_return "foo" > > > > The better question is: why would you intentionally remove a security > > feature? > > > > Scott > > > > > > > > > > > > > > _______________________________________________ > > rspec-users mailing list > > rspec-users at rubyforge.org > > http://rubyforge.org/mailman/listinfo/rspec-users > > > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
Possibly Parallel Threads
- Rails3 pre and protect_from_forgery
- Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st POST
- active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
- ActiveResource and InvalidAuthenticityToken exception
- CSRF protection in rails 2.3.11