search for: after_action

...r. Since the form_authenticity_token is different for every session, leaving csrf_meta_tags in the header makes it impossible for a proxy to cache the page. I have an idea for how to fix it but thought I would ask here, to see if people think there would be problems with it: I could create an after_action in ApplicationController that looks like this: after_action :set_authenticity_cookie def set_authenticity_cookie cookies[:form_authenticity_token] = form_authenticity_token ifform_authenticity_token end So basically send the form_authenticity_token to the browser in a cookie instead of put...

I''m heading out of town, but had a quick thought I wanted to share. Rather then using ambiguous named request helpers in controller specs like "do_request", I''ve been using more readable helpers like "post_create". For example... describe ProjectController do def post_create post :create, ... end before do end it "creates a new

Just out of curiosity, why is that the following .should calls have to differ to work? The first is a normal check on the if the user is redirected if not logged in ========= it "should redirect the user to the login screen" do do_get response.should redirect_to(new_session_url) end The second is checking to ensure that the proper user validation method is called ========= it

...uby/gems/1.8/gems/actionpack-1.12.1/lib/action_controller/filters.rb:394:in `each'' /usr/lib/ruby/gems/1.8/gems/actionpack-1.12.1/lib/action_controller/filters.rb:394:in `call_filters'' /usr/lib/ruby/gems/1.8/gems/actionpack-1.12.1/lib/action_controller/filters.rb:389:in `after_action'' /usr/lib/ruby/gems/1.8/gems/actionpack-1.12.1/lib/action_controller/filters.rb:369:in `perform_action_without_benchmark'' /usr/lib/ruby/gems/1.8/gems/actionpack-1.12.1/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue'' /usr/lib/ruby/...

https://github.com/rails/rails/issues/12374#issuecomment-29446761 Here in discussion I proposed to deprecate JS responder because this technique is insecure and not pragmatic way to transfer data. It can be exploited in this way http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html i find this bug very often so i know what i''m talking about. With it attacker can