I have an action in a Rails 3.2 application which skips verification of the authenticity token, as follows:
skip_before_filter :verify_authenticity_token, only: [:my_action_name]
However, from time to time, this gets removed accidentally by developers, and the app fails silently, losing the user's session on that particular (AJAX) action.
From within my functional tests, what is the simplest way to test that this before filter is being skipped for that action? I.e. what is the simplest way to test that this line has not been removed?
I would run:
before_filter :verify_authenticity_token, only: [:add, :your, :actions, :here]
and add only the actions you want to run verify_authenticity_token on
Related
I have a Rails application where I'm using Vue (through webpacker) in some parts of the frontend.
From Vue I'm making a call to my server which needs to access the current_user (Devise), however, I'm getting the Can't verify CSRF token authenticity. error and the current user is not returned.
To avoid this I skipped the before_action like so:
skip_before_action :verify_authenticity_token, only: :stripe_vue
def stripe_vue
...
end
However, I'm still getting exactly the same issue.
It's kind of weird as I'm doing exactly the same thing in another controller and it works like charm.
Comment this line
protect_from_forgery with: :exception
and final code should look like this
skip_before_action :verify_authenticity_token
#protect_from_forgery with: :exception
Using Paypal payment standard. When the user is redirect the back to the app after paying on paypal.com, the logged in user becomes signed out. Any help is appreciated.
If you post to a rails app without providing the correct CSRF parameters, your session gets deleted. This sounds like what is happening. One way to solve this is to disable the CSRF meta protection for the paypal post action
In Rails3 you can disable the csrf token in your controller for particular methods:
In your controller:
1. protect_from_forgery :except => :create
or
2. skip_before_filter :verify_authenticity_token
or
to disable it for everything except a few methods:
3. skip_before_filter :verify_authenticity_token, :except => [:update, :create]
I'm trying to work out security for my AJAX calls. I've got a jQuery post call which deletes a note. From what I've read, it seems that I need to use protect_from_forgery to ensure that the post is coming from a valid user.
This is what I have so far
application_controller.rb
class ApplicationController < ActionController::Base
protect_from_forgery
...
index.html
$.post('../delete_note',{id:$('#note_id').val()}, function(data) {
});
note_controller.rb
def delete_note
y params
render :text => "success"
end
At the moment, the post request gets run by Rails, even though I'm not sending any security token with it. What do I need to do secure the call?
I'm using Rails 3.0.1 and devise for user management.
You probably want to ensure the user is signed in, using in your note controller something like:
before_filter :authenticate_member!, :except => [:index]
Additionally, check if the user has the rights to delete the note, for that you want to use a authorization solution like cancan.
Per the Agile Development book, I have an Admin MVC that controls how users log in. In ApplicationController, I have a before_filter that checks for authorization. So, this will check that the user has logged in for every page.
The problem is that I want everyone to be able to access the new method, for example, in Users (that is, anyone should be able to create a new user -- naturally! Only admin users should have access to the other methods in UsersController such as edit, etc.). What's the best way to do that?
You can either of this
before_filter :except=>[:method_name] #methods you want to skip filter
OR
before_filter :only=>[:method_name] #methods you want to be filtered before called.
EDITED
before_filter :filter_method, :except=>[:method_name] #methods you want to skip filter
OR
before_filter :filter_method, :only=>[:method_name] #methods you want to be filtered before called.
You can use the skip_before_filter method in child controller classes to skip the default filter processing. For example:
class UsersController < ApplicationController
skip_before_filter :authorize, :only => [:new, :create]
end
—Will skip the before filter named :authorize only for the new and create actions within the users controller i.e. the filter will still get applied for all other actions.
I would also suggest using CanCan gem for authorization as it has a really simple and clean way to define authorization rules.
http://github.com/ryanb/cancan
I have a form on another website (using a different backend) that I want to be able to POST to my Rails application (on a different domain).
How do I generate a valid authenticity token for the external form so that my Rails app will accept it?
Assuming I can do the answer to the above question--is there anything else special I need to do to make this work? Apart from the authenticity token, the rest of it seems pretty straightforward to me...
Thanks for the help!
You can't generate an autenticity token from outside your Rails app.
What you can do, is to disable the token protection only for this action and use a custom implementation based on a before_filter.
skip_before_filter :verify_authenticity_token, :only => :my_action
before_filter :verify_custom_authenticity_token, :only => :my_action
def verify_custom_authenticity_token
# checks whether the request comes from a trusted source
end
You could just remove the check by adding a filter like:
skip_before_filter :verify_authenticity_token, :only => :action_name