ActiveResource and InvalidAuthenticityToken exception

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client
by using ActiveResource.

From the client, I can find, create, and update resources owned by the
web app.

However, I can not delete any. Calling the .destroy method in
ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought
protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or
is this actually by design and I’m not understanding something about
how to achieve deletes via ActiveResource?

Thanks!
Jeff

Jeff C. wrote:

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client
by using ActiveResource.

From the client, I can find, create, and update resources owned by the
web app.

However, I can not delete any. Calling the .destroy method in
ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought
protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or
is this actually by design and I’m not understanding something about
how to achieve deletes via ActiveResource?

Thanks!
Jeff

Seeing the same thing, using edge on the client and an older snapshot of
edge on the server. Going to see if updating the server resolves the
issue tonight.

On Sep 29, 12:15 pm, Mike V. [email protected]
wrote:

Seeing the same thing, using edge on the client and an older snapshot of
edge on the server. Going to see if updating the server resolves the
issue tonight.

Posted viahttp://www.ruby-forum.com/.

Glad to know it’s not just me. I suspect this is a bug somewhere.

Jeff

Check my answer on
http://stackoverflow.com/questions/150076/how-do-i-authenticate-to-activeresource-to-avoid-the-invalidauthenticitytoken-r#150194.
It is not a perfect solution but does provide a workaround.

Mike V. wrote:

Jeff C. wrote:

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client
by using ActiveResource.

From the client, I can find, create, and update resources owned by the
web app.

However, I can not delete any. Calling the .destroy method in
ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought
protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or
is this actually by design and I’m not understanding something about
how to achieve deletes via ActiveResource?

Thanks!
Jeff

Seeing the same thing, using edge on the client and an older snapshot of
edge on the server. Going to see if updating the server resolves the
issue tonight.

Issue persists with latest edge on client/server. :frowning:

I see there’s a ticket now, too.

http://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request