Forum: Ruby on Rails Autocomplete plugin with Rails 2.0

I installed the auto_complete plugin found at
http://svn.rubyonrails.org/rails/plugins/auto_complete. When I type a
character in the autocomplete field I get the following error:

Processing EventsController#auto_complete_for_event_location (for
127.0.0.1at 2007-10-22 22:54:24) [POST]
  Session ID:
BAh7BzoMY3NyZl9pZCIlMmE3MzI5MDU4NWVjNTRjMTk1ODBjMWRiYTgzNzIz%0AYWQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D--4397ccb385b2d851c2d39ad5e79fc587433843fc
  Parameters: {"event"=>{"location"=>"m"},
"action"=>"auto_complete_for_event_location", 
"controller"=>"admin/events"}


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/request_forgery_protection.rb:73:in
`verify_authenticity_token'
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:in
`send'
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:in
`call'
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:442:in
`run'
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:713:in
`run_before_filters'
    /usr/local/lib/ruby/

I changed the routes to include the auto_complete_for_event_location as 
a
collection.

map.namespace(:admin) do |admin|
    admin.resources :events,
      :collection => { :load => :get },
      :collection => { :auto_complete_for_event_location => :get}
  end

The controller is protected by http authentication. Any ideas on why 
this is
failing? TIA.

On 23 Oct 2007, at 07:00, Bala Paranj wrote:

>   Parameters: {"event"=>{"location"=>"m"},  
> action_controller/filters.rb:469:in `send'
>
It's the crsf protection. You either need to get the autocomplete to
include the token, or make it use a get request instead of a post.

Fred

Oh and of course you can turn of forgery protection for a controller/
action with protect_from_forgery, eg
protect_from_forgery :only => [:foo, :bar] (see http://ryandaigle.com/
articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-
forging-prevention)

Fred

I have the same error, how do I disable this feature?

I tried out adding the exclude line:

    protect_from_forgery :only => [:tag]

However, it seems ugly that I have to add each method manually.  I
tried

    protect_from_forgery :exclude => [:auto_complete_for_tag_name]

but that didn't work.  Is this oddness a) a bug or b) just something
the docs for the plugin should discuss?

How can you manually set the token generated by Rails?


This is because I want to use this security feature, but I want to
craft my own forms, or I need to make some POST requests and I need to
set the token manually in the client :S

Thanks in advance.

On 13 Dec 2007, at 13:31, Adrián De la Cruz wrote:

>
> How can you manually set the token generated by Rails?
>
I don't think you can, but you can get its value
The helpful snippet is this bit of code from the rails view helpers:

def token_tag
   unless protect_against_forgery?
    ''
   else
     tag(:input, :type => "hidden", :name =>
request_forgery_protection_token.to_s, :value =>
form_authenticity_token)
   end
end

Fred

Thanks for taking the time to help us ;)

Hi,
I've encountered the same problem and wasted hours on it (i'm new to 
rails...)

I tinkered a bit with the auto_complete plug-in source, adding the 
authenticity token to the parameteres sent by auto_complete_field in the 
same way that
prototype_helper does it.
Here's a partial source of the updated method in the file: 
\vendor\plugins\auto_complete\lib\auto_complete_macros_helper.rb.
The updated file is attached

def auto_complete_field(field_id, options = {})

    ... skip to about line 75:
    js_options[v] = options[k] if options[k]
    end

    # MY CHANGE - add the authenticity token with exactly the same code
    # from the prototype_helper:
    if protect_against_forgery?
          if js_options['parameters']
            js_options['parameters'] << " + '&"
          else
            js_options['parameters'] = "'"
          end
          js_options['parameters'] << 
"#{request_forgery_protection_token}=' + 
encodeURIComponent('#{escape_javascript form_authenticity_token}')"
    end
    # END MY CHANGE

    function << (', ' + options_for_javascript(js_options) + ')')

    javascript_tag(function)
  end

Bala Paranj wrote:
> I installed the auto_complete plugin found at
> http://svn.rubyonrails.org/rails/plugins/auto_complete. When I type a
> character in the autocomplete field I get the following error:
> 
> Processing EventsController#auto_complete_for_event_location (for
> 127.0.0.1at 2007-10-22 22:54:24) [POST]
>   Session ID:
> BAh7BzoMY3NyZl9pZCIlMmE3MzI5MDU4NWVjNTRjMTk1ODBjMWRiYTgzNzIz%0AYWQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D--4397ccb385b2d851c2d39ad5e79fc587433843fc
>   Parameters: {"event"=>{"location"=>"m"},
> "action"=>"auto_complete_for_event_location", 
> "controller"=>"admin/events"}
> 
> 
> ActionController::InvalidAuthenticityToken
> (ActionController::InvalidAuthenticityToken):
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/request_forgery_protection.rb:73:in
> `verify_authenticity_token'
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:in
> `send'
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:in
> `call'
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:442:in
> `run'
>     /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:713:in
> `run_before_filters'
>     /usr/local/lib/ruby/
> 
> I changed the routes to include the auto_complete_for_event_location as 
> a
> collection.
> 
> map.namespace(:admin) do |admin|
>     admin.resources :events,
>       :collection => { :load => :get },
>       :collection => { :auto_complete_for_event_location => :get}
>   end
> 
> The controller is protected by http authentication. Any ideas on why 
> this is
> failing? TIA.

Hi!

Can you showme your "routes.rb"?

I have so many problems to configure my routes with namespaces. I have 
the following error:
 Parameters: {"action"=>"usuarios", "persona"=>{"nombre"=>"Gre"}, 
"id"=>"auto_complete_for_persona_nombre", "controller"=>"admin"}

When my controller is "admin/usuarios"

My routes are:

ActionController::Routing::Routes.draw do |map|
  map.resources :telefonos
  map.resources :direcciones
  map.resources :usuarios
  map.resources :perfiles
  map.resources :personas

  map.namespace(:admin) do |admin|
    admin.resources :usuarios,
      :collection => { :load => :get },
      :collection => { :auto_complete_for_persona_nombre => :get}

    admin.resources :personas,
    admin.resources :perfiles
  end

  map.root :controller => "sesion"

  map.connect ':controller/:action/:id'
  map.connect ':controller/:action/:id.:format'
end

Eric Pugh wrote:
> I tried out adding the exclude line:
> 
>     protect_from_forgery :only => [:tag]
> 
> However, it seems ugly that I have to add each method manually.  I
> tried
> 
>     protect_from_forgery :exclude => [:auto_complete_for_tag_name]
> 
> but that didn't work.  Is this oddness a) a bug or b) just something
> the docs for the plugin should discuss?

use :except instead of :exclude

=> protect_from_forgery :except => [:auto_complete_for_tag_name]

> use :except instead of :exclude
> 
> => protect_from_forgery :except => [:auto_complete_for_tag_name]

http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#M000493

Tanks Elad Roz

Attachment: auto_complete_macros_helper.rb (7,6 KB)

your attachment it s work perfectly