Ruby Forum Ruby on Rails > can't get in_place_edit to work in rails 2.0 => ActionController::InvalidAuthenticityToken

Hi,

I can't get in_place_edit to work in rails 2.0
when updating, it always fails with the error message

ActionController::InvalidAuthenticityToken

I have the following code in my controller:

class ArticlesController < ApplicationController
    in_place_edit_for :article, :title

and in my view:
<%= in_place_editor_field "article" , "title" %>

any ideas how to fix this?

thanks,
Marc

Clear tmp/sessions and did you set a cookie_secret in the 
environment.rb?

On Dec 21, 2007 7:30 AM, MarcS <marcschuetze@gmail.com> wrote:

> class ArticlesController < ApplicationController
>
--
Ryan Bigg
http://www.frozenplague.net

cookie_secret is set and temp/sessions is empty
but the problem is still there

any other ideas?

A backtrace on the error would be good. Find out if there's any specific
files it points to in your application. Something's throwing that error.

I guess the problem is the following:

When a form is being generated rails automatically adds something like
this:
<input type="hidden" value="11ff3908e6cd4be7b4041a93b783829ce6b12349"
name="authenticity_token"/>

The problem is that in_place_edit doesn't seem to be adding this to
the form and therefore the InvalidAuthenticityToken is being raised.

I wonder why noone else had that problem before (at least I didn'T
find anything about it)

Any idea how to get around that?

thanks

No idea how to get around that, sorry.

You could try generating your own authenticity_token.

It seems like I either have to hack prototype to make it include the
authenticity token somehow (doesn't sound very appealing to me) or I
make rails not check the authenticity_token for that action (which I
dunno how to do and which would probably not be the best idea from a
security point of view)

Am 20.12.2007 um 22:00 schrieb MarcS:

> class ArticlesController < ApplicationController
>    in_place_edit_for :article, :title
>
> and in my view:
> <%= in_place_editor_field "article" , "title" %>
>
> any ideas how to fix this?



Give it a try:

http://os.flvorful.com/super_in_place_controls

--
Jochen Kaechelin
figgfrosch.de / gissmoh.de / ror-ror.de / railswerk.de

>
> Give it a try:
>
> http://os.flvorful.com/super_in_place_controls
>


I just tried it here:

<span class="inplace_span" id="guest_namen_1"
onclick="Element.hide(this);$('guest_namen_1_form').show();"
onmouseover="new Effect.Highlight(&quot;guest_namen_1&quot;,{});"
title="Click to Edit">jochen</span><form action="/guests/
set_guest_namen/1" class="in_place_editor_form"
id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/
guests/set_guest_namen/1', {asynchronous:true, evalScripts:true,
onComplete:function(request){$('loader_guest_namen_1').hide();},
onLoading:function(request){$('guest_namen_1_form').hide(); $
('loader_guest_namen_1').show();}, parameters:Form.serialize(this) +
'&amp;authenticity_token=' +
encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')});
return false;" style="display:none"><div style="margin:0;padding:
0"><input name="authenticity_token" type="hidden"
value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input
class="inplace_text_field" id="guest_namen" name="guest[namen]"
size="30" type="text" value="jochen" /><input class="inplace_submit"
name="commit" type="submit" value="OK" /><a class="inplace_cancel"
href="#" onclick="$('guest_namen_1_form').hide();$
('guest_namen_1').show() ; return false;">Cancel</a></form><div
class="inplace_loader" id="loader_guest_namen_1"
style="display:none"><img alt="Spinner" src="/images/spinner.gif?
1198155982" />&nbsp;&nbsp;<span>Saving...</span></div><br></br>

....seems to work...

It looks like it's just a SHA1 key.

Digest::SHA1.hexdigest("secure")

http://dev.rubyonrails.org/browser/trunk/actionpack/test/controller/request_forgery_protection_test.rb?rev=7668

No idea where it defines the equivalent to "secure".


On Dec 21, 2007 9:41 AM, Ryan Bigg <radarlistener@gmail.com> wrote:

> No idea how to get around that, sorry.
>
> You could try generating your own authenticity_token.
>



--
Ryan Bigg
http://www.frozenplague.net

thanks Jochen,

any idea if this works when I list multiple resources on the same
page?
For example, I have a project which has multiple stores and multiple
products, and needs a description per product per store. So I need to
pass the controller a store id and a product id, and then find the
description which matches or, alternatively, create one if one doesn't
exist.

From what I saw by just quickly looking at it this won't work with my
problem

I put the following in my controller this to make it skip the
authenticity_token check:

protect_from_forgery :only => [:create, :delete, :update]

I only have one field in this controller that uses in_place_editor, so
I put the update for that field in
it's own method.

My only concern is the security issues, but I haven't found another
way around this issue yet.

Tested workaround:

in_place_edit_for :annotation, :text
protect_from_forgery :except => [:set_annotation_text]

You can do something like this in your view to make your authenticity 
token available to your javascript in your views.

<%= javascript_tag "window._token = '#{form_authenticity_token}'" %>

That will make your authenticity token available to your custom 
javascript Ajax requests.  If you're using prototype.js and you want to 
do a custom PUT, you do something like this.

  new Ajax.Request ('/products/1', {
    method: 'put',
    parameters: 'product[name]=chair&authenticity_token=' + 
window._token});

On Apr 6, 6:58 pm, David Beckwith <rails-mailing-l...@andreas-s.net>
wrote:
> You can do something like this in your view to make your authenticity

Thank you for that David.  I have seen several questions around this
but afik yours is the first example of exactly how to include the
token in a js call - I'll give it a go.

Hi,

This is what I do:

I register a global javascript variable in my view let's say:
var authenticityToken  = encodeURIComponent('<%=
form_authenticity_token %>')

Then I use it in my custom Protoyped Ajax calls:

parameters:'authenticity_token=' + authenticityToken

Hope this helps.

Cya

and, to make it work in test environment (where requests forgery
protection is disabled by default),
<%= javascript_tag "window._token = '#{form_authenticity_token}'" if
ActionController::Base.allow_forgery_protection %>

On Apr 6, 9:58 pm, David Beckwith <rails-mailing-l...@andreas-s.net>

> I just tried it here:
> 
> <span class="inplace_span" id="guest_namen_1"
> onclick="Element.hide(this);$('guest_namen_1_form').show();"
> onmouseover="new Effect.Highlight(&quot;guest_namen_1&quot;,{});"
> title="Click to Edit">jochen</span><form action="/guests/
> set_guest_namen/1" class="in_place_editor_form"
> id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/
> guests/set_guest_namen/1', {asynchronous:true, evalScripts:true,
> onComplete:function(request){$('loader_guest_namen_1').hide();},
> onLoading:function(request){$('guest_namen_1_form').hide(); $
> ('loader_guest_namen_1').show();}, parameters:Form.serialize(this) +
> '&amp;authenticity_token=' +
> encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')});
> return false;" style="display:none"><div style="margin:0;padding:
> 0"><input name="authenticity_token" type="hidden"
> value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input
> class="inplace_text_field" id="guest_namen" name="guest[namen]"
> size="30" type="text" value="jochen" /><input class="inplace_submit"
> name="commit" type="submit" value="OK" /><a class="inplace_cancel"
> href="#" onclick="$('guest_namen_1_form').hide();$
> ('guest_namen_1').show() ; return false;">Cancel</a></form><div
> class="inplace_loader" id="loader_guest_namen_1"
> style="display:none"><img alt="Spinner" src="/images/spinner.gif?
> 1198155982" />&nbsp;&nbsp;<span>Saving...</span></div><br></br>
> 
> ....seems to work...

You can also use the form_authenticity_token() function do generate it.

Like :
  <form action="/posts/search" method="get">
    <input name="q" type="text" value="">
    <input type="submit" value="Search" />
    <input type="hidden" value="<%= form_authenticity_token() %>" 
name="authenticity_token"/>
  </form>