similar to: disabling forgery protection

Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, password and is_admin. When displaying the

I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail

Hi, I just created a new Rails app that will be receiving some POSTed data from the outside so it must skip the verify_authenticity_token for some create actions. Although I have added: skip_before_filter :verifiy_authenticity_token I still get InvalidAuthenticityToken. In one of my other Rails app (created back in Rails 1.2.6 and updated to 2.3.2 over time) this skipping works perfectly though,

Hi !! I''m reading the rails guides about security, i had a question about the forgery protection If we consider a standard Restful resource ( generated with scaffold for example ), the update and create actions are protected from forgery attacks thanks to the authenticity token, but what about the destroy method ?? <a href="/posts/2"

Hi, This is my second question on the poor performance of webrick (previously I had a problem with Ajax). I have a somewhat simple Rails application which works just fine, but when I come back to work the next day, the server responds with error 500. It looks like if it is running more than 12 hours, it''ll crap-out. I don''t use CVS (which I read on the web it is a common cause

Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form

Has anybody solved this issue. [ http://rubyforge.org/pipermail/facebooker-talk/2008-April/000552.html ] ? NameError (undefined local variable or method `controller'' for #<LeaveController:0xb7144abc>): /app/controllers/application.rb:24:in `verify_authenticity_token''

Hallo, I want to test the csrf protection of my application but forgery protection is not working with jquery ajax request. I have used Unobtrusive Javascript with jquery I have removed the <%= csrf_meta_tag %> so that my application do not include authenticity token. In my view I have the following code $(function () { $(''#alert'').click(function () { $.ajax({

I am starting to BDD. When specing the controller I want to test for object creation: it "deberia crear una nueva persona en post create" do Usuario.should_receive(:create).with({:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}).and_return(@usuario) post ''create'', {:usuario => {:nombre =>

Hi everyone, I''ve been working with Mongrel, Mongrel_cluster and Apache and it is great. However, I can''t get mongrel_cluster to start at boot time. I followed the instructions from http://mongrel.rubyforge.org/docs/mongrel_cluster.html (On Boot Initialization Setup) and mongrel_cluster does not start after rebooting the machine. I made sure that the shebang line is correct and

Hi everyone, I''m new to backgroundrb, and I''m trying to get started with a simple example, yet with no success. This is the code that I have in RAILS_ROOT/lib/workers/testing_worker.rb class TestingWorker < BackgrounDRb::Worker::RailsBase def do_work(args) # This method is called in it''s own new thread when you # call new worker. args is set

Hi, I have a question regarding RoR and DRb. First of all, I tested with simple client/server examples and everything worked as expected. I have the following lines in my environment.rb: DRb.start_service $rem_obj = DRbObject.new(nil, "druby://#{rname}:9001") Since rem_obj is a global variable, I can call it from any controller and the invoked procedure is run on the server. However,

All, I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST request in the application) to work. When I post this form, I see the "InvalidAuthenticityToken" error. I have protect_from_forgery :secret => ''my_secret'' set in application.rb and I am using an active_record session store based on this line in environment.rb:

Hi, I''m getting the dreaded "Premature end of script headers: dispatch.cgi" message on my production server. Before I list all the things that I tried, let me mention that I already have a Rails app working on this server (installed by somebody else). First app is accessible at: http://mydomain.com/cwps and it all works. Second app is accessible at: http://mydomain.com/robo

Hi All, I''m having horrible problems with this exception, which seems to happen as soon as I access the session object. Does anyone know what the path is to recover from this? This post looked to be the most promising: http://rubyforge.org/pipermail/facebooker-talk/2007-December/000047.html And I followed all of the steps except switching my session store, and modifying the default

Hi all, I think CSFR protection broke in rails 2.3.11. As in: it''s turned off now. I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken. >rails csrftest >cd csrftest >script/generate scaffold post title:string >rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all

Hi everyone, I would like to know if there''s a way to synchronize the actions in a mongrel cluster. Basically, how do I make sure that a specific controller action gets executed by only one mongrel server at one time? I obviously cannot use Mutex::synchronize, because we''re talking about different processes. I looked into using optimistic and pessimistic locking. I

Greetins all, I''m rewriting a filter from the method form to a class filter.(see below) Problem: some controller - redirect_to - and route - *_url - methods are protected (redirect_to, f.ex.), and cannot be called. Is this intended? Is there a solution workaround? TIA Alain BEFORE: ----------- before_filter :login_required, :except => [:welcome,:login] def

Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get

Hi all, I am using ajax for some request but when the user session expire, I get a ActionController::InvalidAuthenticityToke error. Do you know how I could trap this error and redirect to the login panel ? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: