I'm using Rails 2.3.8 with Ruby 1.8.7 (both installed via CPanel) and gem 1.3.7 and I'm using MongoDB.
Well, I get the following error when I'm trying to create an user (class User):
Processing UsersController#create (for 127.0.0.1 at 2010-11-13 16:09:55) [POST]
Parameters: {"commit"=>"Create", authenticity_token"=>"3AdGHqazhzJUddjLDIKSNzcGTR8KN1Hh7PL+9+vrJ74=", "user"=> "name"=>"jqa"}}
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)
Rendering /home/jqa/public_html/web/public/422.html (422 Unprocessable Entity)
Any Help? Thanks in advance
Are you using rails form helper to generate the registration form? I guess not and thats why you are getting this error. I suggest you to use form_for or form_tag method for the form.
You are getting this because rails generate an authenticity token along with the generated form which gets posted back on form submit as a hidden field. With this rails can assume that it is an authentic request from the same app.
If you have generated the form with hand crafter html, this hidden field wont be there in the form and that why rails is cribbing about it!
Related
I am trying to use my rails console to call a public post method in my controller.
rails c
app.post '/servers/important_method'
This obviously gives me:
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
Is there any way to create a session and call that method?
EDIT: I could create a view and restart the production environment, but I'd like to avoid that.
The key here is recognising app is an instance of ActionDispatch::Integration::Session, which includes ActionDispatch::TestProcess and therefore has a #session method that'll supply the authenticity token, once you've woken it up with a request.
We can then use this via the app::post helper, itself a simple wrapper for app's own #process method, which documents the calling parameters.
Putting all of those pieces together, in Rails 5 and later, we might write:
app.get ''
token = app.session[:_csrf_token]
app.post '/servers/important_method', params: { authenticity_token: token }
Note for older versions of Rails:
Since we're talking to the integration test API here, you may use similar forms in integration tests. When upgrading older Rails apps (v4 and earlier), you may find the following test code failing:
post '/servers/important_method', authenticity_token: token
and this should be revised to the new syntax, wrapping the parameters in params: { ... }.
I'm updating an old rails 2 app to rails 4. In the view there is a form field defined like this:
school[existing_address_attributes][666][city]
The model is updated as normal in the controller:
#school.update_attributes(params[:school])
The form works, and submits and saves properly, but I can't tell where existing_address_attributes is defined.
This seems to work similarly to nested attributes. Is this native to rails? Is it some gem? What am I missing?
This is most probably defined by accepts_nested_attributes_for. Check the Rails 2 documentation.
https://gist.github.com/2635937
Rails 3.0.7 on Mac OS X. Issue is occurring in the view, where
= form_for #bulk_order do |f|
is. I don't think the HAML is an issue but I am new to it. Did a scaffold of this in a new/test app. Everything looks good. Controller is straight forward. Thinking the issue has to be in the model. Thoughts?
Since this is a form for user submission, you can see in the gist I didn't include active record::base as I don't want this data saved to the database.
Any input is appreciated. The gist is of the bulk_order model.
If I create a brand new Rails application (using Rails 3.0.9) and knock up a quick bit of scaffolding as follows:
$ rails new testing
$ rails g scaffold thing name:string
Then app/controllers/application_controller.rb contains a "protect_from_forgery" by default, so it should check the authenticity_token during a POST create. At least, that's my understanding.
Why then, does this line successfully create a new Thing, without supplying the token.
$ curl -F "thing[name]=abc123" http://localhost:3000/things
The log entry says:
Started POST "/things" for 127.0.0.1 at 2011-07-05 08:29:18 +0100
Processing by ThingsController#create as
Parameters: {"thing"=>{"name"=>"abc123"}}
AREL (0.3ms) INSERT INTO "things" ("name", "created_at", "updated_at") VALUES ('abc123', '2011-07-05 07:29:18.484457', '2011-07-05 07:29:18.484457')
Redirected to http://localhost:3000/things/18
Completed 302 Found in 89ms
I can also do this to delete records:
$ curl -X DELETE http://localhost:3000/things/18
The same thing happens in production mode. Doesn't this leave my application open to CSRF?
If you pass invalid CSRF token or send request without it, Rails will nullify session, so protect_form_forgery is useless if your application could be accessed by everyone.
But it will save your application from CSRF attack if you have session-based authentication system.
More info: How does Rails CSRF protection work?
there is a scaffold created Story... and in the create action, there is
#story = Story.new(params[:story])
i was curious as to what is in params... so i want to dump out params... but there is no view associated with the create action... is there a way to dump out its content? is there a way to dump out the POST variables in of my code too? (to see what's going on in the lower level)
The easiest thing to do is just dump params out to the log:
Rails.logger.info("PARAMS: #{params.inspect}")
If you're in development mode, just look in your development.log and that line will be there.
The params scope is a combination of URL/FORM (GET/POST) fields, and it will be printed out in the log as part of the normal output processing, so you might not need your own dumping of it - any development or production log contains the params dump at the top of the log line, e.g.
Processing Clients::ClientsController#show (for x.x.x. at 2009-05-24 00:34:26) [GET]
Parameters: {"id"=>"303", "user_id"=>"2"}
Now I know Rails more, you can also simply use a
p params
in your code and look at the console's output (the log shown on the console)
If you're on a Mac, Spike is a great little app the analyses log files and will let you inspect params for requests, amongst other things.
Using Fiddler on Windows, it is shown
the HTTP line #1 is:
POST /stories HTTP/1.1
this is the POST content:
authenticity_token=62iw%2BrsxlCFsbnxsS7FXKRn6CcvJfjottrsBPlM5lZo%3D&story%5Bname%5D=Google+Main+Site&story%5Blink%5D=www.google.com&commit=Create
listed in a table:
authenticity_token 62iw+rsxlCFsbnxsS7FXKRn6CcvJfjottrsBPlM5lZo=
story[name] Google Main Site
story[link] www.google.com
commit Create
and the server log is:
Parameters: {"commit"=>"Create", "story"=>{"name"=>"Google Main Site", "link"=>"www.google.com"}, "authenticity_token"=>"62iw+rsxlCFsbnxsS7FXKRn6CcvJfjottrsBPlM5lZo="}
You don't need to anything except look in your logs (they live in /log). Unless you're fiddling with something, the logging of parameters is turned on by default in all logs.
Processing PostsController#create (for 127.0.0.1 at 2009-05-24 13:03:24) [POST]
Parameters: {"commit"=>"Create", "authenticity_token"=>"2G6BKOs8xNAaXiToVf4r1ko8QZzP9QAomi2PHVQC5Oc=", "story"=>{"something"=>"asdfafd"}}
Parameters lists all parameters, and the hash following "story" is the equivalent of params[:story] (everything comes to the server as strings, and Rails turns it into a HashWithIndifferentAccess so that you can access it with a symbol).
If you're on a *NIX system (including OS X) open a new terminal window/tab and type the following command:
tail -f log/development.log
You'll get a constant stream of requests coming in -- including params -- and the resulting DB actions. Invaluable for development/debugging, IMO.