Jester JS Google Group

Re: Speaking of recent Rails + Jester problems

em...@thoughtbot.com (Eric Mill) — Fri, 22 Aug 2008 21:06:05 UT

Interesting. I think Jester should just commit to supporting the latest
standard, and forget about supporting the old attributes-only one. The
new JSON standard is closer to the XML standard, anyway.
-- Eric

Speaking of recent Rails + Jester problems

natbu...@gmail.com (Nat Budin) — Fri, 22 Aug 2008 20:49:15 UT

Somewhere along the line - I'm guessing in Rails 2.1 - the behavior of
ActiveRecord::Base#to_json seems to have changed. I'll give an
example - previously, doing something like user.to_json would have
returned something like:
{"nickname": "",
"lastname": "Budin",
"id": 35,
"gender": "male",
"firstname": "Nat",

Re: Jester and Rails's forgery protection

natbu...@gmail.com (Nat Budin) — Fri, 22 Aug 2008 20:13:18 UT

I don't know how often it changes, but I now have some indication that
this actually works in a real-world Rails use case. I modified my
JIPE plugin to support cross-site request forgery protection using
this patch, and cursory testing indicates that it works as intended.
For the curious, you can find my changed version at:

Re: Jester and Rails's forgery protection

cpy...@thoughtbot.com (Chad Pytel) — Fri, 22 Aug 2008 20:00:35 UT

Ok, I see you responded. The forgery protection authenticity token
doesn't change with every new request?
-Chad
---
Chad Pytel, Founder and CEO
thoughtbot, inc.
organic brains. digital solutions.
------------------------------ -------------
tel: 617.482.1300 x113
fax: 866.217.5992
[link]

Re: Jester and Rails's forgery protection

cpy...@thoughtbot.com (Chad Pytel) — Fri, 22 Aug 2008 19:58:43 UT

I agree, and its something that exists in Active Resource as well. I
remain to convinced that it'll actually work to solve the authenticity
token, because I still don't know how you get it from the server, but
thats without doing any research on it either.
-Chad
---
Chad Pytel, Founder and CEO

Re: Jester and Rails's forgery protection

em...@thoughtbot.com (Eric Mill) — Fri, 22 Aug 2008 19:26:36 UT

Nat, you are a badass.
-- Eric

Re: Jester and Rails's forgery protection

em...@thoughtbot.com (Eric Mill) — Fri, 22 Aug 2008 19:06:55 UT

The proposed solution, setting default URL parameters for each request,
is something useful in general, that would also help with the Rails
authenticity token issue. Allowing URL parameters to be passed on
-- Eric

Re: Jester and Rails's forgery protection

natbu...@gmail.com (Nat Budin) — Fri, 22 Aug 2008 19:05:02 UT

OK, forked, modified, pull request sent. Also includes unit tests!
This turned out to be somewhat more straightforward than I thought:
everything except obj.save is already using the _url_for helpers, and
already accepts arbitrary parameters being passed in. So all I needed
to modify was the _url_for function (to support model._defaultParams),

Re: Jester and Rails's forgery protection

natbu...@gmail.com (Nat Budin) — Fri, 22 Aug 2008 17:31:25 UT

Thanks, Eric! I'll try and do a fork later today and see what I can
come up with.
Nat

Re: Jester and Rails's forgery protection

natbu...@gmail.com (Nat Budin) — Fri, 22 Aug 2008 17:26:36 UT

It's easy:
<%= form_authenticity_token %>
Or if you want to be more sophisticated:
<% if protect_from_forgery? -%>
<%= form_authenticity_token %>
<% end -%>
Nat

Re: Jester and Rails's forgery protection

cpy...@thoughtbot.com (Chad Pytel) — Fri, 22 Aug 2008 17:25:01 UT

I don't know how you can even find out the authenticity token from
rails. This would be key to get that to work, as far as I know it
changes for every request. In my opinion, this is really more of a
rails problem, then something for jester to solve with a custom
solution.

Re: Jester and Rails's forgery protection

em...@thoughtbot.com (Eric Mill) — Fri, 22 Aug 2008 15:04:07 UT

You're right, Nat. I think the solution here is as you suggest, adding
the ability to pass along arbitrary URL parameters to all actions, not
just #find.
Perhaps specifying a default set of accompanying URL params (in other
frameworks, this might be a "jsessionid", etc.) on the Resource
definition would work too. I envision that looking just like:

Re: Jester and Rails's forgery protection

natbu...@gmail.com (Nat Budin) — Thu, 21 Aug 2008 18:59:45 UT

That would certainly work, but it seems like a bad idea to just
disable those protections. Do we really want to encourage people to
turn off security features for the sake of coding convenience?
Nat

Re: Jester and Rails's forgery protection

cpy...@thoughtbot.com (Chad Pytel) — Thu, 21 Aug 2008 18:46:10 UT

As with normal Active Resource, it's expected that you disable forgery
protection for resources that will be accessed.

Jester and Rails's forgery protection

natbu...@gmail.com (Nat Budin) — Thu, 21 Aug 2008 18:41:18 UT

Hello everyone!
As of Rails 2.0, there is an optional (but turned on by default in new
apps) mechanism for doing cross-site request forgery (CSRF)
protection. This article provides a decent overview of how it works:
[link]
Unfortunately this seems to cause some problems for Jester when turned