[HELP]No :secret given to the #protect_from_forgery call

Camilo_T · March 15, 2008, 8:17pm

I am starting to BDD. When specing the controller I want to test for
object creation:

it “deberia crear una nueva persona en post create” do
Usuario.should_receive(:create).with({:nombre => “camilo”, :clave
=> “secreta”, :tipo => “administrador”}).and_return(@usuario)

post 'create', {:usuario => {:nombre => "camilo", :clave =>

“secreta”, :tipo => “administrador”}}
end

But when I add this spec, I start getting this:
1)
ActionController::InvalidAuthenticityToken in ‘UsuarioController
deberia crear una nueva persona en post create’
No :secret given to the #protect_from_forgery call. Set that or use a
session store capable of generating its own keys (Cookie Session
Store).
./spec/controllers/usuario_controller_spec.rb:30:
script/spec:4:

This is the only failure. Line 30 is the post “create”.

I am on Ruby 1.8.6, Rails 2.0.2, Rspec 1.1.3 (saw in
vendor/plugins/rspec/CHANGES).

I searched google for solutions, found this:

http://blog.stonean.com/2007/12/rspec-and-protectfromforgery.html

then I added
@controller.class.protect_from_forgery :secret => “secretkey”
in the before(:each) method. I put the same secret key I found in
environment.rb. But now it gives me:
ActionController::InvalidAuthenticityToken

I am lost. Why this happens? should not work just fine from the rails
default configuration?.

I have not changed anything in the environment.rb nor application.rb.
This is just a new project to learn BDD and RoR. Thanks for any clue
to get this to work.

Camilo_T · March 15, 2008, 8:28pm

On Mar 16, 2008, at 2:41 PM, Camilo T. wrote:

This is the only failure. Line 30 is the post “create”.
@controller.class.protect_from_forgery :secret => “secretkey”

rspec-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rspec-users

I haven’t tried any of this, but here’s my guess:

One way to get this to work is to stub out protect_from_forgery:

controller.stub!(protect_from_forgery).and_return “foo”

The better question is: why would you intentionally remove a security
feature?

Scott

Camilo_T · March 15, 2008, 11:27pm

I presume the feature is well tested in rails and disable it in the
test environment (which is done by default, I think).

in config/environments/test.rb

Disable request forgery protection in test environment

config.action_controller.allow_forgery_protection = false

-Mike

On Sat, Mar 15, 2008 at 2:26 PM, Scott T.

Camilo_T · March 16, 2008, 3:27pm

Thanks Mike, your comment lead me to the answer:

I was using the development environment to make the tests. I didn’t
realized there were some difference between the environments (not
guessed it).

When I started the project, I edited spec/spec_helper.rb (and also
stories/helper.rb) and changed ENV[“RAILS_ENV”] to “development”,
because I had only one DB user. Of course I can create as many DB
users as I need, this is a development box…

Now using the (right) ENV[“RAILS_ENV”] = “test” and problem is solved.

Thanks to Scott T. for the other comment.

2008/3/16, Mike V. [email protected]: