search for: allow_forgery_protect

...k with telling the controller or ActionController::Base to use forgery protection in the spec and am a bit stuck. Has anyone done this before, or do any of these look possible: * reload the rails app for part of the spec, using a different rails initializer (i.e. without config.action_controller.allow_forgery_protection = false as in environments/test.rb) * tell the controller to use forgery protection despite it being turned off in the rails test environment config (haven''t had any luck with this so far). * have some specs split off from the main specs which run in a different rails environment,...

...thod that creates, saves, and sets the session for a shopper as well as for a hit object, then returns some JSON. This works in Chrome and Safari (haven''t tested IE yet), but Firefox is a no-go. Basically, the session gets reset by CSRF (I confirmed this by setting config.action_controller.allow_forgery_protection to false and it works), but the weird thing is that upon inspecting the session, I DO have a hit_id, but no shopper_id!! This completely breaks my form and is frustrating as hell :P I''m running on Rails 3.2.11 and Ruby 1.9.3p327. Any and all help would be appreciated! -- Posted via h...

I''m trying to create a log in in index.html, but I keep getting an error about InvalidAuthenticityToken. I understand this is something that RoR puts in the forms, and it changes regularly. The problem is that the home page in the public folder is html, and therefore static. has anyone else put a log in on their home page? -- Posted via http://www.ruby-forum.com/.

I am starting to BDD. When specing the controller I want to test for object creation: it "deberia crear una nueva persona en post create" do Usuario.should_receive(:create).with({:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}).and_return(@usuario) post ''create'', {:usuario => {:nombre =>

...key => "_xxx_session", :secret => "65bfb267dc928c66f3d0714d89faf43e" } If I''m using active_record_store above is the config.action_controller.session params required or conflicting? 2. environment.rb Rails::Initializer.run do |config| config.action_controller.allow_forgery_protection = false application.rb protect_from_forgery :secret => ''a7cabcdf1499df9ded55d8a3797d9387'' How are these two settings related, what''s the affect? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/face...

Should this be working in development mode? For some reason it doesn''t. regards, John

...some design/debugging in IRB and need to login a user and then be able to gain access to current_user in my efforts (I''m using Devise for authentication.) I found a sequence from SO that allows me to successfully login via IRB and access a page response: >> ApplicationController.allow_forgery_protection = false >> app.post(''/sign_in'', {"user"=>{"login"=>"some-login-id", "password"=>"some-password"}}) >> app.get ''/some_other_path_that_only_works_if_logged_in'' >> pp app.response.body...

Hi, I was trying to write a RESTful service and was planning on testing via tools such as cURL and the basic http libs. With the InvalidAuthenticityToken piece that is turned by default in Rails 2.0.2, I have to provide the token with each request. This is something of a pain for a programmable client that may not make a GET request before performing other actions, specifically POST, PUT and

Hello, I have been working through two books, "Agile Web Development with Rails, 2nd Ed." and "Ajax on Rails". I''m using Rails2.0. In both cases, I run into an authentication error when doing the examples. In AWDwR, when trying to add new information to the database (p. 68) I get ActionController::InvalidAuthenticityToken in AdminController#create