similar to: Is Rails 2.1 "protect_from_forgery" == csrf_killer plugin?

All, I''ve upgraded to 2.0.2, and I can''t get my login screen (the first POST request in the application) to work. When I post this form, I see the "InvalidAuthenticityToken" error. I have protect_from_forgery :secret => ''my_secret'' set in application.rb and I am using an active_record session store based on this line in environment.rb:

Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following: A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, password and is_admin. When displaying the

I''ve almost entirely converted a rails 2.3.5 app to 3pre. I''m having some trouble with protect_from_forgery. I had protect_from_forgery set in application_controller.rb, but run some uploadify ajax stuff in one of my controllers, where I had protect_from_forgery, :except => :add_file set. In rails 3 I''m getting ActionController::InvalidAuthenticityToken on the ajax

Hi folks, I am just getting into rails again after a multi-year stint of mod_perl jobs, which might grant me some newbie-indemnity for the time being - but I''ve found an issue I think warrants discussion. As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html - the CSRF protection feature does not kick in for GET requests. This

I am starting to BDD. When specing the controller I want to test for object creation: it "deberia crear una nueva persona en post create" do Usuario.should_receive(:create).with({:nombre => "camilo", :clave => "secreta", :tipo => "administrador"}).and_return(@usuario) post ''create'', {:usuario => {:nombre =>

What I want to do is share the same session across many Rails applications. All of them are using Rails 2.2.2. I know that, to share the session, it''s (supposedly) just a matter of sharing the same key and secret among the apps, like this: config.action_controller.session = { :session_key => ''_apps_session'', :secret =>

All, I''ve downloaded and installed a plugin into my vendor directory. How do I then take advantage of it? It has an init.rb file which has the appropriate require. What do I need to do to make sure that the plugin code gets loaded? Thanks, Wes -- Posted via http://www.ruby-forum.com/.

After switching to active_record_store to host sessions, I now get the following errors: ActionController::InvalidAuthenticityToken in Pages#edit Showing app/views/pages/edit.html.erb where line #5 raised: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store). Extracted source (around line #5): 2: 3:

All, Thanks for any help in advance. I have what I think is a very straightforward partial template and I can''t figure out why a text_field call within it doesn''t work. Here is my calling template: lists.rhtml <div id="target_lists"> <%= render(:partial => "target_lists", :collection => @target_lists) %> </div> In the partial

All, I would like to test some secure pages that I''m developing in my WEBrick-based development environment. I''ve done some research and it appears that I need to create a new command that will start a HTTPS based WEBrick server. Is this correct? Also, it appears that the https.rb module is not included with the WEBrick bundled in Rails. So, I will need to go get that

Hey All, I''m trying to do a simple form_for (and I also get it with form_tag) and I''m getting the following error: ActionView::TemplateError (No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store).) on line #2 of users/new.fbml.erb: 1: <h1>Welcome To Courses, Let''s Get

All, I want to run automated unit tests as part of my build. I am building to my test environment. Upon successful completion of all of my unit tests, I would then like to load some data (using a fixture, I imagine) into my test database that will act as fresh "system test" data for my users to play with. What is the best way to "load the standard system test/user acceptance

All, I''ve run into a snag. I need to handle the display of elements on my page and I want to use my Javascript event handlers on page load. However, my BODY tag is trapped in my generic layout. I''m thinking that I can put an onLoad on the BODY tag that will just call a Javascript method called initializePage() and then provide this initializePage() call in my specific page

All, I have a left navigation partial that I want to dynamically generate CSS classes for based on the current controller action. In my ERb template, I have <DIV class="<%= get_menu_display_style(''login_form'') %>"> In application.rb, I have the method get_menu_display_style defined as: public def get_menu_display_style(action_requested)

Anyone know of any Ruby modules which can be used to parse an HTML page ? Thanks, Wes -- Posted via http://www.ruby-forum.com/.

All, In a template, I have <%= text_field :target_list, :DateReceived, { :title => ''uploaded_at'', :class => ''target_list_info'', :disabled => ''true'' } %> Here is the DateReceived method on my

Can you set a global before_filter action in application.rb? So, for example, you could control authentication for all of the controllers in an app.? Obviously, you would need a way to reference actions by controller within this "global before-filter". Thanks, Wes -- Posted via http://www.ruby-forum.com/.

All, I''m finally doing my first real form in Rails - the model object that I''m entering information for has 8 validations so far. If I type in good values for all the fields but one, I get the pretty validation, and the nice field highlighting, but all of the fields are cleared, forcing me to retype all of that info. That is a big drag. Is there a standard way to get the

I am trying to put some smarts around a call to <%= error_messages_for %> so that when I first come into this page i.e. when my instance variable @target_list has not been defined yet, the page doesn''t break. I''m doing this: <% if @target_list? %> <%= error_messages_for ''target_list'' %> <% end %> I get a syntax error on line 1.

So having just learned how to do has_many :through as opposed to HABTM, and then, being concerned that I wouldn''t get it to work, I started thinking about these two approaches. It seems to me that the _only_ problem that the HM:T (has_many :through) approach solves that HABTM doesn''t is the issue of the potential collision of id columns between your join table and one of