can't get in_place_edit to work in rails 2.0 => ActionController::InvalidAuthenticityToken

27 views
Skip to first unread message

MarcS

unread,
Dec 20, 2007, 4:00:55 PM12/20/07
to Ruby on Rails: Talk
Hi,

I can't get in_place_edit to work in rails 2.0
when updating, it always fails with the error message

ActionController::InvalidAuthenticityToken

I have the following code in my controller:

class ArticlesController < ApplicationController
in_place_edit_for :article, :title

and in my view:
<%= in_place_editor_field "article" , "title" %>

any ideas how to fix this?

thanks,
Marc

Ryan Bigg

unread,
Dec 20, 2007, 5:53:27 PM12/20/07
to rubyonra...@googlegroups.com
Clear tmp/sessions and did you set a cookie_secret in the environment.rb?

MarcS

unread,
Dec 20, 2007, 5:56:12 PM12/20/07
to Ruby on Rails: Talk
cookie_secret is set and temp/sessions is empty
but the problem is still there

any other ideas?

On 20 Dez., 23:53, "Ryan Bigg" <radarliste...@gmail.com> wrote:
> Clear tmp/sessions and did you set a cookie_secret in the environment.rb?
>
> On Dec 21, 2007 7:30 AM, MarcS <marcschue...@gmail.com> wrote:
>
>
>
>
>
>
>
> > Hi,
>
> > I can't get in_place_edit to work in rails 2.0
> > when updating, it always fails with the error message
>
> > ActionController::InvalidAuthenticityToken
>
> > I have the following code in my controller:
>
> > class ArticlesController < ApplicationController
> > in_place_edit_for :article, :title
>
> > and in my view:
> > <%= in_place_editor_field "article" , "title" %>
>
> > any ideas how to fix this?
>
> > thanks,
> > Marc
>
> --
> Ryan Bigghttp://www.frozenplague.net- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -

Ryan Bigg

unread,
Dec 20, 2007, 6:01:03 PM12/20/07
to rubyonra...@googlegroups.com
A backtrace on the error would be good. Find out if there's any specific files it points to in your application. Something's throwing that error.

MarcS

unread,
Dec 20, 2007, 6:08:59 PM12/20/07
to Ruby on Rails: Talk
I guess the problem is the following:

When a form is being generated rails automatically adds something like
this:
<input type="hidden" value="11ff3908e6cd4be7b4041a93b783829ce6b12349"
name="authenticity_token"/>

The problem is that in_place_edit doesn't seem to be adding this to
the form and therefore the InvalidAuthenticityToken is being raised.

I wonder why noone else had that problem before (at least I didn'T
find anything about it)

Any idea how to get around that?

thanks

Ryan Bigg

unread,
Dec 20, 2007, 6:11:56 PM12/20/07
to rubyonra...@googlegroups.com
No idea how to get around that, sorry.

You could try generating your own authenticity_token.

MarcS

unread,
Dec 20, 2007, 6:15:16 PM12/20/07
to Ruby on Rails: Talk
It seems like I either have to hack prototype to make it include the
authenticity token somehow (doesn't sound very appealing to me) or I
make rails not check the authenticity_token for that action (which I
dunno how to do and which would probably not be the best idea from a
security point of view)

Jochen Kaechelin

unread,
Dec 20, 2007, 6:19:51 PM12/20/07
to rubyonra...@googlegroups.com

Jochen Kaechelin

unread,
Dec 20, 2007, 6:22:04 PM12/20/07
to rubyonra...@googlegroups.com


I just tried it here:

<span class="inplace_span" id="guest_namen_1"
onclick="Element.hide(this);$('guest_namen_1_form').show();"
onmouseover="new Effect.Highlight(&quot;guest_namen_1&quot;,{});"
title="Click to Edit">jochen</span><form action="/guests/
set_guest_namen/1" class="in_place_editor_form"
id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/
guests/set_guest_namen/1', {asynchronous:true, evalScripts:true,
onComplete:function(request){$('loader_guest_namen_1').hide();},
onLoading:function(request){$('guest_namen_1_form').hide(); $
('loader_guest_namen_1').show();}, parameters:Form.serialize(this) +
'&amp;authenticity_token=' +
encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')});
return false;" style="display:none"><div style="margin:0;padding:
0"><input name="authenticity_token" type="hidden"
value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input
class="inplace_text_field" id="guest_namen" name="guest[namen]"
size="30" type="text" value="jochen" /><input class="inplace_submit"
name="commit" type="submit" value="OK" /><a class="inplace_cancel"
href="#" onclick="$('guest_namen_1_form').hide();$
('guest_namen_1').show() ; return false;">Cancel</a></form><div
class="inplace_loader" id="loader_guest_namen_1"
style="display:none"><img alt="Spinner" src="/images/spinner.gif?
1198155982" />&nbsp;&nbsp;<span>Saving...</span></div><br></br>

....seems to work...


Ryan Bigg

unread,
Dec 20, 2007, 6:14:03 PM12/20/07
to rubyonra...@googlegroups.com
It looks like it's just a SHA1 key.

Digest::SHA1.hexdigest ("secure")

http://dev.rubyonrails.org/browser/trunk/actionpack/test/controller/request_forgery_protection_test.rb?rev=7668

No idea where it defines the equivalent to "secure".


On Dec 21, 2007 9:41 AM, Ryan Bigg <radarl...@gmail.com> wrote:
No idea how to get around that, sorry.

You could try generating your own authenticity_token.



--
Ryan Bigg
http://www.frozenplague.net

MarcS

unread,
Dec 20, 2007, 6:26:34 PM12/20/07
to Ruby on Rails: Talk
thanks Jochen,

any idea if this works when I list multiple resources on the same
page?
For example, I have a project which has multiple stores and multiple
products, and needs a description per product per store. So I need to
pass the controller a store id and a product id, and then find the
description which matches or, alternatively, create one if one doesn't
exist.

From what I saw by just quickly looking at it this won't work with my
problem

mvelco

unread,
Dec 20, 2007, 6:39:58 PM12/20/07
to Ruby on Rails: Talk
I put the following in my controller this to make it skip the
authenticity_token check:

protect_from_forgery :only => [:create, :delete, :update]

I only have one field in this controller that uses in_place_editor, so
I put the update for that field in
it's own method.

My only concern is the security issues, but I haven't found another
way around this issue yet.

alec....@gmail.com

unread,
Jan 4, 2008, 9:48:05 AM1/4/08
to Ruby on Rails: Talk
Tested workaround:

in_place_edit_for :annotation, :text
protect_from_forgery :except => [:set_annotation_text]

David Beckwith

unread,
Apr 6, 2008, 1:58:21 PM4/6/08
to rubyonra...@googlegroups.com
You can do something like this in your view to make your authenticity
token available to your javascript in your views.

<%= javascript_tag "window._token = '#{form_authenticity_token}'" %>

That will make your authenticity token available to your custom
javascript Ajax requests. If you're using prototype.js and you want to
do a custom PUT, you do something like this.

new Ajax.Request ('/products/1', {
method: 'put',
parameters: 'product[name]=chair&authenticity_token=' +
window._token});
--
Posted via http://www.ruby-forum.com/.

tonypm

unread,
Apr 8, 2008, 2:36:31 AM4/8/08
to Ruby on Rails: Talk
On Apr 6, 6:58 pm, David Beckwith <rails-mailing-l...@andreas-s.net>
wrote:
> You can do something like this in your view to make your authenticity

Thank you for that David. I have seen several questions around this
but afik yours is the first example of exactly how to include the
token in a js call - I'll give it a go.

powermike

unread,
Apr 9, 2008, 5:59:36 PM4/9/08
to Ruby on Rails: Talk
Hi,

This is what I do:

I register a global javascript variable in my view let's say:
var authenticityToken = encodeURIComponent('<%=
form_authenticity_token %>')

Then I use it in my custom Protoyped Ajax calls:

parameters:'authenticity_token=' + authenticityToken

Hope this helps.

Cya

artemv

unread,
Apr 11, 2008, 9:32:42 AM4/11/08
to Ruby on Rails: Talk
and, to make it work in test environment (where requests forgery
protection is disabled by default),
<%= javascript_tag "window._token = '#{form_authenticity_token}'" if
ActionController::Base.allow_forgery_protection %>

On Apr 6, 9:58 pm, David Beckwith <rails-mailing-l...@andreas-s.net>
wrote:

Duc Tom

unread,
Apr 22, 2008, 4:10:09 AM4/22/08
to rubyonra...@googlegroups.com

You can also use the form_authenticity_token() function do generate it.

Like :
<form action="/posts/search" method="get">
<input name="q" type="text" value="">
<input type="submit" value="Search" />
<input type="hidden" value="<%= form_authenticity_token() %>"
name="authenticity_token"/>
</form>

Tony Carrera

unread,
May 16, 2008, 9:19:25 AM5/16/08
to rubyonra...@googlegroups.com
Duc Tom wrote:
>
> You can also use the form_authenticity_token() function do generate it.
>
> Like :
> <form action="/posts/search" method="get">
> <input name="q" type="text" value="">
> <input type="submit" value="Search" />
> <input type="hidden" value="<%= form_authenticity_token() %>"
> name="authenticity_token"/>
> </form>

I just wanted to say THANK YOU for posting about
form_autheticity_token()!!! Being new to ruby/rails, I'm not used to a
lot of the methods or procedures used within the framework. I was stuck
on trying to od a simple search when this saved me.

Thanks again!

-Tony

Harish Dewangan

unread,
Jul 11, 2008, 8:51:49 AM7/11/08
to rubyonra...@googlegroups.com
Hi
I m facing ActionController::InvalidAuthenticityToken problem.

i m trying to communicate two WEBrick Server with Different port.

I have 2 application
1) Service
2) Operation

service is running on 3000 port no and operation is running on 4000
port no
and i m trying to get the action of 3000 port from 4000 port. but
when i
trying i m get this error . could any body help me please


Thanks in Advance
Harish

Harish Dewangan

unread,
Jul 11, 2008, 8:54:40 AM7/11/08
to rubyonra...@googlegroups.com
Hi

I developed REST Application and i got success. but i want to
develop a
REST application which can perform any arithematic operation.

Not getting any idea . can any body explain me plz..........

Reply all
Reply to author
Forward
0 new messages