Displaying 20 results from an estimated 1000 matches similar to: "rspec-rails how to selectively turn on csrf protection for controller specs?"
2010 Feb 22
10
Error: "ActionController::InvalidAuthenticityToken"
Hi there,
I have my first Rails app running and I regularly get the following
"logged_exception" error message:
"ActionController::InvalidAuthenticityToken"
Has anybody an idea what might cause this problem? Could it somehow be a
"time out" error (like an "AuthenticityToken" which might expire after a
certain time, or something along those lines)?
Any
2013 Jan 09
4
CSRF resets my session in Firefox
Hello all,
I''ve been trying to diagnose an issue with CSRF and Firefox
specifically. I''ve got an ajax based form, using UJS (yes, I have
csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header
to the ajax beforeSend events without any luck)... The form just posts
some data to an ajax method that creates, saves, and sets the session
for a shopper as
2011 Feb 11
11
CSRF protection in rails 2.3.11
Hi all,
I think CSFR protection broke in rails 2.3.11.
As in: it''s turned off now.
I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken.
>rails csrftest
>cd csrftest
>script/generate scaffold post title:string
>rake db:migrate
now I visit /posts/new in my browser, use firebug to delete or change
the authenticity token, and submit the form.
rails 2.3.11: all
2008 Mar 27
3
Help with authentication errors
Hello,
I have been working through two books, "Agile Web Development with
Rails, 2nd Ed." and "Ajax on Rails". I''m using Rails2.0. In both cases,
I run into an authentication error when doing the examples. In AWDwR,
when trying to add new information to the database (p. 68) I get
ActionController::InvalidAuthenticityToken in AdminController#create
2008 Feb 07
4
text_field_with_auto_complete
I have the following in my view:
<% form_tag :action => ''detail'' do %>
Search for Sales Order Number:<br />
<%= text_field_with_auto_complete :sales_order, :id %>
<%= submit_tag " Go "%>
<% end %>
And I have the following in my controller:
auto_complete_for :sales_order, :id
This worked fine in 1.5, but
2008 Apr 09
3
form_tag and form_for cause #protect_from_forgery errors
Hey All,
I''m trying to do a simple form_for (and I also get it with form_tag)
and I''m getting the following error:
ActionView::TemplateError (No :secret given to the
#protect_from_forgery call. Set that or use a session store capable
of generating its own keys (Cookie Session Store).) on line #2 of
users/new.fbml.erb:
1: <h1>Welcome To Courses, Let''s Get
2008 Mar 15
3
[HELP]No :secret given to the #protect_from_forgery call
I am starting to BDD. When specing the controller I want to test for
object creation:
it "deberia crear una nueva persona en post create" do
Usuario.should_receive(:create).with({:nombre => "camilo", :clave
=> "secreta", :tipo => "administrador"}).and_return(@usuario)
post ''create'', {:usuario => {:nombre =>
2009 Oct 17
3
Security problems with CookieStore and CSRF protection
Dear Rails community,
As part of a programming languages/security research group at the
University of Maryland, we are building some static analysis tools for
Rails applications. These tools work by taking formally specified
properties of interest, and then analyzing code to verify that those
properties indeed hold. Using these tools, we found some security
vulnerabilities in Rails, and we would
2008 Aug 21
4
forgery Protection
Has anybody solved this issue. [
http://rubyforge.org/pipermail/facebooker-talk/2008-April/000552.html ] ?
NameError (undefined local variable or method `controller'' for
#<LeaveController:0xb7144abc>):
/app/controllers/application.rb:24:in `verify_authenticity_token''
2010 Apr 01
4
POST-only logic in protect_from_forgery considered harmful?
Hi folks,
I am just getting into rails again after a multi-year stint of
mod_perl jobs, which might grant me some newbie-indemnity for the time
being - but I''ve found an issue I think warrants discussion.
As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
- the CSRF protection feature does not kick in for GET requests. This
2009 Mar 12
5
InvalidAuthenticityToken from home page
I''m trying to create a log in in index.html, but I keep getting an error
about InvalidAuthenticityToken. I understand this is something that RoR
puts in the forms, and it changes regularly. The problem is that the
home page in the public folder is html, and therefore static. has anyone
else put a log in on their home page?
--
Posted via http://www.ruby-forum.com/.
2010 Sep 04
0
CSRF protection not working with jquery ajax post request
Hallo,
I want to test the csrf protection of my application but forgery
protection is not working with jquery ajax request.
I have used Unobtrusive Javascript with jquery
I have removed the
<%= csrf_meta_tag %>
so that my application do not include authenticity token.
In my view I have the following code
$(function () {
$(''#alert'').click(function () {
$.ajax({
2009 Jun 09
3
protect_from_forgery doesnt protect from forgery
Maybe I am grasping the full usage of this protect_from_forgery
function, but it does not seem to work for me. Imagine the following:
A simple website with a user that needs to log in to do certain stuff
and a closed off admin section that only certain users can access that
have the is_admin field set to true.
So to be clear, my User model has a login, password and is_admin.
When displaying the
2013 Jan 22
2
Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
I am running a Rails 4 app in semi-production and I constantly get
exceptions from crawler bots that use a HEAD HTTP method, which causes the
CSRF protection to kick in.
Shouldn''t HEAD requests normally be handled like GET requests?
I am not sure if I''m just being stupid or that hit is a bug somewhere.
Michiel
--
You received this message because you are subscribed to the
2011 Feb 09
2
CSRF Protection Bypass in Ruby on Rails - I don't get it ...
Hi all,
My team and I are finding ourselves a little in the dark about the
"CSRF Protection Bypass in Ruby on Rails" vulnerability that was
announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
1. Where is the complete Advisory? The Impact section is very unclear.
Looking at the comment in the 2.3 patch mentions "Flash animations and
2011 Jul 26
1
[Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
Release Announcements
=====================
Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to
address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
2011 Jul 26
1
[Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
Release Announcements
=====================
Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to
address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
o CVE-2011-2522:
The Samba Web Administration Tool (SWAT) in Samba versions
3.0.x to 3.5.9 are affected by a cross-site request forgery.
o CVE-2011-2694:
2009 May 05
3
Unable to deactivate forgery protection
Hi,
I just created a new Rails app that will be receiving some POSTed data
from the outside so it must skip the verify_authenticity_token for some
create actions. Although I have added:
skip_before_filter :verifiy_authenticity_token
I still get InvalidAuthenticityToken. In one of my other Rails app
(created back in Rails 1.2.6 and updated to 2.3.2 over time) this
skipping works perfectly though,
2005 May 12
1
Cross-site Request Forgery
Hi all,
I stuck a little bit of information on CSRF on the wiki
(http://wiki.rubyonrails.com/rails/show/HowToAvoidCrossSiteRequestForgery)
and created a "Security Concerns" page from the home page
(http://wiki.rubyonrails.com/rails/show/Security+Concerns) - it would
be good to have a single point of information for all know security
holes and fixes (even if they aren''t Rails
2011 Aug 28
1
Page Caching, CSRF, and Loading a form via Ajax
Hi all,
I would like to use page caching on my homepage, but also want to
enable people to sign in via a modal dialog sign in form. I could
have a setup in which when a user lands on the cached homepage, an
Ajax GET request pulls in the whole login form so that there is a
fresh authenticity token.
That said, besides the additional hit to the server, the CSRF token in
the head area of the page