search for: protect_from_forgeri

I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax

I am starting to BDD. When specing the controller I want to test for object creation: it "deberia crear una nueva persona en post create" do Usuario.should_receive(:create).with({:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}).and_return(@usuario) post ''create'', {:usuario => {:nombre =>

Just would like to verify: Is protect_from_forgery (in Rails 2.1) == the csrf_killer plugin from Rick Olson? Thanks, Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to

Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, password and is_admin. When displaying the

What I want to do is share the same session across many Rails applications. All of them are using Rails 2.2.2. I know that, to share the session, it''s (supposedly) just a matter of sharing the same key and secret among the apps, like this: config.action_controller.session = { :session_key => ''_apps_session'', :secret =>

I am having a problem using the exception_logger plugin when I have protect_from_forgery enabled. Here is the line from application.rb: protect_from_forgery :secret => ''xxxx'' But I am getting: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Now, if I remove the secret and try and

I try to use db-session with protect_from_forgery. But I always get a error msg: ActionController::InvalidAuthenticityToken. application_controller.rb protect_from_forgery #:secret => ''top_secret'' session_store.rb ActionController::Base.session_store = :active_record_store hope you can help me. Best regards -- Posted via http://www.ruby-forum.com/.

After switching to active_record_store to host sessions, I now get the following errors: ActionController::InvalidAuthenticityToken in Pages#edit Showing app/views/pages/edit.html.erb where line #5 raised: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Extracted source (around line #5): 2: 3:

Should this be working in development mode? For some reason it doesn''t. regards, John

I am a newbie to Rails, coming from a PHP shop, so please excuse my ignorance. I have to applications. A Codeigniter PHP app and a Rails 3.0 app. The rails app makes paypal api calls and the php app makes curl post calls to the rails app with information from a shopping cart. How can I make this work with protect_from_forgery? I basically want to pass my own auth token from the php app (or any

All, I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST request in the application) to work. When I post this form, I see the "InvalidAuthenticityToken" error. I have protect_from_forgery :secret => ''my_secret'' set in application.rb and I am using an active_record session store based on this line in environment.rb:

Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get

Hi folks, I am just getting into rails again after a multi-year stint of mod_perl jobs, which might grant me some newbie-indemnity for the time being - but I''ve found an issue I think warrants discussion. As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html - the CSRF protection feature does not kick in for GET requests. This

Can I get some +1s for this tiny patch? It fixes ActiveRecordHelper::form, which is broken by default in new applications created with Rails 2.0. http://dev.rubyonrails.org/ticket/10739 Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to

I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail

Hi all, I think CSFR protection broke in rails 2.3.11. As in: it''s turned off now. I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken. >rails csrftest >cd csrftest >script/generate scaffold post title:string >rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all

Ok, this is harder than I thought. I''ve got a hunk of XML coming in from an entirely external source that I do not control (but another department in my company does, so it''s not like a giant security hole). I was hoping to just have them POST their data to me, and then I''d read the raw stream and parse it. I''m sure folks know what I ran into -- Invalid

Hi, Using JRuby 1.1 and Rails 2.0, I created a small project in NetBeans that allows me to generate a dynamic dialplan in XML. In case it matters, I''m using builder-2.1.2 and activerecord-2.0.2. Going in the browser to: http://localhost:3000/routing/dialplan?Caller-Destination-Number=0 Does exactly what I want: <document type="freeswitch/xml"> <section

Does anyone find them useful? I can see them being good in some cases, but I have many exceptions that occur because of expired sessions. I am also not sure if they are really required for pages that require a login to access. The other place that they cause issues is in javascript requests. I am not using the built-in helpers, and all the javascript exists in separate js files. There is ways

I am trying to convert my codeand to use the new Rails 2.0 feature RequestForgeryProtection but I get an InvalidAuthenticityToken error, right from the beginning with my login form.. I followed the recommandations : in my environment.rb config.action_controller.session = { :session_key => ''myappname'', :secret =>