search for: protect_from_forgery

Displaying 20 results from an estimated 70 matches for "protect_from_forgery".

2010 Feb 09
4
Rails3 pre and protect_from_forgery
I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax upload unless I turn off p...
2008 Mar 15
3
[HELP]No :secret given to the #protect_from_forgery call
...milo", :clave => "secreta", :tipo => "administrador"}} end But when I add this spec, I start getting this: 1) ActionController::InvalidAuthenticityToken in ''UsuarioController deberia crear una nueva persona en post create'' No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). ./spec/controllers/usuario_controller_spec.rb:30: script/spec:4: This is the only failure. Line 30 is the post "create". I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in vendor/plugins/...
2008 Sep 06
4
Is Rails 2.1 "protect_from_forgery" == csrf_killer plugin?
Just would like to verify: Is protect_from_forgery (in Rails 2.1) == the csrf_killer plugin from Rick Olson? Thanks, Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this g...
2009 Jun 09
3
protect_from_forgery doesnt protect from forgery
Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, passwo...
2009 Oct 13
1
config.action_controller.session[:secret] vs protect_from_forgery :secret
...apps you want the session to be share with. Now, some of the apps are returning in the HTTP response a session id (_apps_session=big number) that is different, even though they have the same session_key and secret. One thing that I noted, though, is that these apps are also providing a :secret to protect_from_forgery, and the number is different from the number passed to the :secret on config.action_controller.session[:secret]. What I would like to know is, if I''m setting the secret in config.action_controller.session, do I need to pass it to protect_from_forgery? Or are they secrets of different natu...
2008 Sep 23
0
exception_logger and protect_from_forgery
I am having a problem using the exception_logger plugin when I have protect_from_forgery enabled. Here is the line from application.rb: protect_from_forgery :secret => ''xxxx'' But I am getting: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Now, if I remove the secret...
2009 Jun 22
2
protect_from_forgery with db-session (Rails 2.3.2)
I try to use db-session with protect_from_forgery. But I always get a error msg: ActionController::InvalidAuthenticityToken. application_controller.rb protect_from_forgery #:secret => ''top_secret'' session_store.rb ActionController::Base.session_store = :active_record_store hope you can help me. Best regards -- Posted v...
2007 Oct 03
2
active_record_store sessions does not pass a :secret to #protect_from_forgery in Rails 2.0.0 Preview
After switching to active_record_store to host sessions, I now get the following errors: ActionController::InvalidAuthenticityToken in Pages#edit Showing app/views/pages/edit.html.erb where line #5 raised: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Extracted source (around line #5): 2: 3: <%= error_messages_for :page %> 4: 5: <% form_for(@page) do |f| %> 6: <p> 7: <b>Name</b><br /> 8: <%= f.text_...
2009 Oct 09
1
protect_from_forgery development mode
Should this be working in development mode? For some reason it doesn''t. regards, John
2010 Sep 10
0
protect_from_forgery
...wbie to Rails, coming from a PHP shop, so please excuse my ignorance. I have to applications. A Codeigniter PHP app and a Rails 3.0 app. The rails app makes paypal api calls and the php app makes curl post calls to the rails app with information from a shopping cart. How can I make this work with protect_from_forgery? I basically want to pass my own auth token from the php app (or any 3rd party app for that matter) to my rails app so that it knows its ok to proceed. Thanks in advance for all help! -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google...
2008 Mar 19
7
Upgrade to 2.0.2: InvalidAuthenticityToken error on 1st POST
All, I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST request in the application) to work. When I post this form, I see the "InvalidAuthenticityToken" error. I have protect_from_forgery :secret => ''my_secret'' set in application.rb and I am using an active_record session store based on this line in environment.rb: config.action_controller.session_store = :active_record_store My login_form is generated using form_for(). However, I am using text_field_tag...
2008 Apr 09
3
form_tag and form_for cause #protect_from_forgery errors
Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get Started.</h1> 2: <% form_for :user, user_path, :method => :post do |form| %> 3: <fb:editor-...
2010 Apr 01
4
POST-only logic in protect_from_forgery considered harmful?
...actually easier to do from a remote CSRF attackers point of view. The controller will then happily do all the work requested of it without the token being present at all. How many rails developers do we think put a POST-method validation filter around all their form processing code, and yet expect protect_from_forgery stills somehow protects the actions? Also, it appears that the authenticity token is not inserted into forms automatically when the form is specified as a GET. While GET requests *should* be idempotent, it is quite common for them not to be. Consider for instance on Yahoo! search which remembers (...
2008 Jan 08
3
Unbreak ActiveRecordHelper::form() when protect_from_forgery is used
Can I get some +1s for this tiny patch? It fixes ActiveRecordHelper::form, which is broken by default in new applications created with Rails 2.0. http://dev.rubyonrails.org/ticket/10739 Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
...and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail when it''s not set). I''ve not had any luck with telling the controller or ActionController::Base to use forgery protection in the spec and am a bit stuck. Has anyone done this before, or do any of these look possible: * reload the rails app for...
2011 Feb 11
11
CSRF protection in rails 2.3.11
...gt;rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all fine, new post saved rails 2.3.10: ActionController::InvalidAuthenticityToken I checked ApplicationController to see if it still contained "protect_from_forgery", which is the case. I read the announcement for the csrf changes in 2.3.11 and they talk about overriding handle_unverified_request for special cases where there are other ways for authenticating a user. In this simple case I demonstrated though, there is no concept of a user or logging in (o...
2009 Mar 31
3
Accept POST data from external source?
Ok, this is harder than I thought. I''ve got a hunk of XML coming in from an entirely external source that I do not control (but another department in my company does, so it''s not like a giant security hole). I was hoping to just have them POST their data to me, and then I''d read the raw stream and parse it. I''m sure folks know what I ran into -- Invalid
2008 Jul 08
8
POST instead of GET gives 404 (newbie)
Hi, Using JRuby 1.1 and Rails 2.0, I created a small project in NetBeans that allows me to generate a dynamic dialplan in XML. In case it matters, I''m using builder-2.1.2 and activerecord-2.0.2. Going in the browser to: http://localhost:3000/routing/dialplan?Caller-Destination-Number=0 Does exactly what I want: <document type="freeswitch/xml"> <section
2008 May 07
2
Question on authenticity tokens
Does anyone find them useful? I can see them being good in some cases, but I have many exceptions that occur because of expired sessions. I am also not sure if they are really required for pages that require a login to access. The other place that they cause issues is in javascript requests. I am not using the built-in helpers, and all the javascript exists in separate js files. There is ways
2007 Dec 23
3
InvalidAuthenticityToken problems with my login form
...right from the beginning with my login form.. I followed the recommandations : in my environment.rb config.action_controller.session = { :session_key => ''myappname'', :secret => ''6de86b5566d7598f57e757960760acd2'' } in my application.rb protect_from_forgery :secret => ''6de86b5566d7598f57e757960760acd2'' my sessions_controller.rb doesn''t have anything new inside... same code as used with rails 1.2 (is it right ?) class SessionsController < ApplicationController def new @login = "" end def create...