Autocomplete plugin with Rails 2.0


#1

I installed the auto_complete plugin found at
http://svn.rubyonrails.org/rails/plugins/auto_complete. When I type a
character in the autocomplete field I get the following error:

Processing EventsController#auto_complete_for_event_location (for
127.0.0.1at 2007-10-22 22:54:24) [POST]
Session ID:
BAh7BzoMY3NyZl9pZCIlMmE3MzI5MDU4NWVjNTRjMTk1ODBjMWRiYTgzNzIz%0AYWQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D–4397ccb385b2d851c2d39ad5e79fc587433843fc
Parameters: {“event”=>{“location”=>“m”},
“action”=>“auto_complete_for_event_location”,
“controller”=>“admin/events”}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
/usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/request_forgery_protection.rb:73:in
verify_authenticity_token' /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:insend’
/usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:in
call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:442:inrun’
/usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:713:in
`run_before_filters’
/usr/local/lib/ruby/

I changed the routes to include the auto_complete_for_event_location as
a
collection.

map.namespace(:admin) do |admin|
admin.resources :events,
:collection => { :load => :get },
:collection => { :auto_complete_for_event_location => :get}
end

The controller is protected by http authentication. Any ideas on why
this is
failing? TIA.


#2

On 23 Oct 2007, at 07:00, Bala P. wrote:

Parameters: {“event”=>{“location”=>“m”},
action_controller/filters.rb:469:in `send’

It’s the crsf protection. You either need to get the autocomplete to
include the token, or make it use a get request instead of a post.

Fred


#3

Oh and of course you can turn of forgery protection for a controller/
action with protect_from_forgery, eg
protect_from_forgery :only => [:foo, :bar] (see http://ryandaigle.com/
articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-
forging-prevention)

Fred


#4

I tried out adding the exclude line:

protect_from_forgery :only => [:tag]

However, it seems ugly that I have to add each method manually. I
tried

protect_from_forgery :exclude => [:auto_complete_for_tag_name]

but that didn’t work. Is this oddness a) a bug or b) just something
the docs for the plugin should discuss?


#5

How can you manually set the token generated by Rails?

This is because I want to use this security feature, but I want to
craft my own forms, or I need to make some POST requests and I need to
set the token manually in the client :S

Thanks in advance.


#6

I have the same error, how do I disable this feature?


#7

On 13 Dec 2007, at 13:31, Adrián De la Cruz wrote:

How can you manually set the token generated by Rails?

I don’t think you can, but you can get its value
The helpful snippet is this bit of code from the rails view helpers:

def token_tag
unless protect_against_forgery?
‘’
else
tag(:input, :type => “hidden”, :name =>
request_forgery_protection_token.to_s, :value =>
form_authenticity_token)
end
end

Fred


#8

Hi,
I’ve encountered the same problem and wasted hours on it (i’m new to
rails…)

I tinkered a bit with the auto_complete plug-in source, adding the
authenticity token to the parameteres sent by auto_complete_field in the
same way that
prototype_helper does it.
Here’s a partial source of the updated method in the file:
\vendor\plugins\auto_complete\lib\auto_complete_macros_helper.rb.
The updated file is attached

def auto_complete_field(field_id, options = {})

... skip to about line 75:
js_options[v] = options[k] if options[k]
end

# MY CHANGE - add the authenticity token with exactly the same code
# from the prototype_helper:
if protect_against_forgery?
      if js_options['parameters']
        js_options['parameters'] << " + '&"
      else
        js_options['parameters'] = "'"
      end
      js_options['parameters'] << 

“#{request_forgery_protection_token}=’ +
encodeURIComponent(’#{escape_javascript form_authenticity_token}’)”
end
# END MY CHANGE

function << (', ' + options_for_javascript(js_options) + ')')

javascript_tag(function)

end


#9

Bala P. wrote:

I installed the auto_complete plugin found at
http://svn.rubyonrails.org/rails/plugins/auto_complete. When I type a
character in the autocomplete field I get the following error:

Processing EventsController#auto_complete_for_event_location (for
127.0.0.1at 2007-10-22 22:54:24) [POST]
Session ID:
BAh7BzoMY3NyZl9pZCIlMmE3MzI5MDU4NWVjNTRjMTk1ODBjMWRiYTgzNzIz%0AYWQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%0Ac2h7AAY6CkB1c2VkewA%3D–4397ccb385b2d851c2d39ad5e79fc587433843fc
Parameters: {“event”=>{“location”=>“m”},
“action”=>“auto_complete_for_event_location”,
“controller”=>“admin/events”}

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
/usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/request_forgery_protection.rb:73:in
verify_authenticity_token' /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:insend’
/usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:469:in
call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:442:inrun’
/usr/local/lib/ruby/gems/1.8/gems/actionpack-1.13.3.7707/lib/action_controller/filters.rb:713:in
`run_before_filters’
/usr/local/lib/ruby/

I changed the routes to include the auto_complete_for_event_location as
a
collection.

map.namespace(:admin) do |admin|
admin.resources :events,
:collection => { :load => :get },
:collection => { :auto_complete_for_event_location => :get}
end

The controller is protected by http authentication. Any ideas on why
this is
failing? TIA.

Hi!

Can you showme your “routes.rb”?

I have so many problems to configure my routes with namespaces. I have
the following error:
Parameters: {“action”=>“usuarios”, “persona”=>{“nombre”=>“Gre”},
“id”=>“auto_complete_for_persona_nombre”, “controller”=>“admin”}

When my controller is “admin/usuarios”

My routes are:

ActionController::Routing::Routes.draw do |map|
map.resources :telefonos
map.resources :direcciones
map.resources :usuarios
map.resources :perfiles
map.resources :personas

map.namespace(:admin) do |admin|
admin.resources :usuarios,
:collection => { :load => :get },
:collection => { :auto_complete_for_persona_nombre => :get}

admin.resources :personas,
admin.resources :perfiles

end

map.root :controller => “sesion”

map.connect ‘:controller/:action/:id’
map.connect ‘:controller/:action/:id.:format’
end


#10

Eric P. wrote:

I tried out adding the exclude line:

protect_from_forgery :only => [:tag]

However, it seems ugly that I have to add each method manually. I
tried

protect_from_forgery :exclude => [:auto_complete_for_tag_name]

but that didn’t work. Is this oddness a) a bug or b) just something
the docs for the plugin should discuss?

use :except instead of :exclude

=> protect_from_forgery :except => [:auto_complete_for_tag_name]


#11

Thanks for taking the time to help us :wink:


#12

use :except instead of :exclude

=> protect_from_forgery :except => [:auto_complete_for_tag_name]

http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#M000493


#13

Tanks Elad Roz

Attachment: auto_complete_macros_helper.rb (7,6 KB)

your attachment it s work perfectly