Forum: Radiant CMS page_attachments / :secret / #protect_from_forgery error

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Steven L. (Guest)
on 2008-11-19 05:10
Hi -

I am haunted by this :secret / #protect_from_forgery /
form_authenticity_token error that seems to stop me every few months.
Luckily it has been in remission for a few months.  I just had a few
hours to finish this site and whammo! Up pops this much feared error.

The cause is that I installed attachment_fu and page_attachments into my
Radiant app.  The installs went smoothly until I tried to edit a page.
Then I got this error:

    ActionController::InvalidAuthenticityToken in Admin/page#edit

   Showing vendor/extensions/page_attachments/app/views/admin
/page/_attachments_box.html.erb where line #7 raised:

   No :secret given to the #protect_from_forgery call.  Set that or use
a session store capable of generating its own keys (Cookie Session

I'm using Active Record Session Store and I don't much care for Cookie
session store because it limits what I can stick in the session. I have
a :secret defined in my environment.rb and I also have

    config.action_controller.allow_forgery_protection = false

in there.  Could somebody tell me how to fix this or point me to
resources to learn about the forgery protection stuff?

(In the mean time I'm googling this topic)

Thank you.

Steven L. (Guest)
on 2008-11-19 05:52
This link appears that it will help.  I would prefer to build sites
without learning anything but sometimes I am forced.
Steven L. (Guest)
on 2008-11-19 06:16
Geez, I don't know what just happened here, but I stuck this line of
code in some obscure file I didn't even know existed and it fixed my

I stuck this line of code:

   protect_from_forgery :secret =>
'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index

into my


and the error went away.
Sean C. (Guest)
on 2008-11-19 06:42
(Received via mailing list)
For some reason, the CSRF protections in Rails require that if you use
:active_record_store for sessions, the key given in your config setting
must be equivalent to the key given in the call to protect_from_forgery
in the controller.  One way around this might be to add an
after_initialize block like so:

config.after_initialize do
:secret => 'putyourreallylongsha1hashkeyhere'

Victor Zuniga (Guest)
on 2008-11-19 17:16
(Received via mailing list)
It seems Rails just patched a CSRF vulnerability yesterday.


On 11/18/08 11:41 PM, "Sean C." <removed_email_address@domain.invalid> wrote:

>> 'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index
> Radiant mailing list
> Post:   removed_email_address@domain.invalid
> Search:
> Site:

Victor Zuniga
Westerville Public Library
126 S. State St. | Westerville, OH 43081
Phone: 614.882.7277 | ext 165
This topic is locked and can not be replied to.