I’ve almost entirely converted a rails 2.3.5 app to 3pre. I’m having
some trouble with protect_from_forgery. I had protect_from_forgery set
in application_controller.rb, but run some uploadify ajax stuff in one
of my controllers, where I had protect_from_forgery, :except
=> :add_file set.
In rails 3 I’m getting ActionController::InvalidAuthenticityToken on
the ajax upload unless I turn off protect_from_forgery completely in
application_controller.rb. Seems like the exception in my FileUpload
controller (protect_from_forgery :except => :add_file) isn’t taking.
Has anyone else experienced this. Should I report a bug or am I doing
something wrong?
Thanks in advance,
Bryan
Hey Bryan, please do report a bug on Lighthouse. Let’s get that fixed
up for the next beta.
Thanks!
jeremy
On Mon, Feb 8, 2010 at 7:24 PM, bshelton229
I’m experiencing the same issue when implementing Uploadify into a
Rails 3.0.0.beta2 application. A comment and a question:
-
You shouldn’t need to disable protect_from_forgery for uploads if
you pass your session data to Uploadify, then back to Rails when you
do the upload. But for the time being, disabling protect_from_forgery
is the only way I’ve been able to get Uploadify to work too.
-
In order to insert middleware in Rails 3, add the following to
config/application.rb:
config.middleware.insert_before(ActionDispatch::Session::CookieStore,
FlashSessionCookieMiddleware, ActionController::Base.session[:key])
However, ActionController::Base.session[:key] is no longer where
session information is stored. I’ve tried accessing it with it with
Rails.application.config.session_store[:key], looked through the
source and docs.
How do you access the session data in Rails 3?
Thanks, Patrick
On Feb 8, 11:24 pm, bshelton229 [email protected]
Chaps,
Does anyone know if a bug got filed for this issue?
Regards,
Tom
No idea, sorry. Think I just ended up hacking the session key with a
global variable.