Ssl_required and form_tag


#1

I don’t quite understand how ssl_required interacts with forms in Ruby
on Rails.

I’ve installed the ssl_requirement plugin, and listed one of my
form-submission actions (:assign_building) in an ssl_required
declaration. The form is shown at the end of this message.

The form includes a select_tag to collect a parameter tagged as
:building_id.

If :assign_building is listed in ssl_required, params does not include
the :building_id key. If it’s not in ssl_required, :building_id is in
params.

I should mention that I have defined default_url_options to set
:protocol => “https://”.

How do I ensure that my form will be submitted via SSL, and keep all its
parameters? I’m pretty sure I’m missing a concept here, but of course
I’m too ignorant to know what that concept might be.

ruby 1.8.6 (2008-03-03 patchlevel 114) [universal-darwin9.0]
Rails 1.2.6

-- F

===
<% form_tag :controller => :people, :action => :assign_building, :id =>
@person do %>
<% buildings = Building.find(:all, :order => ‘facility_location,
building’).collect { |b| [ b.building, b.id ] } -%>
<% bldg_opts = options_for_select(buildings, @person.building_id)
-%>
<%= select_tag :building_id, bldg_opts %>
<%= submit_tag “Set” %>
<% end -%>

Partial log when ssl_required is in effect:

Processing PeopleController#assign_building (for at 2008-12-11
13:11:50) [GET]
Session ID: 31c980c882ed498eaed93fcb08916d63
Parameters: {“action”=>“assign_building”, “id”=>“5”,
“controller”=>“people”}


#2

Fritz A. wrote:

The form includes a select_tag to collect a parameter tagged as
:building_id.

If :assign_building is listed in ssl_required, params does not include
the :building_id key. If it’s not in ssl_required, :building_id is in
params.

I should mention that I have defined default_url_options to set
:protocol => “https://”.

How do I ensure that my form will be submitted via SSL, and keep all its
parameters? I’m pretty sure I’m missing a concept here, but of course
I’m too ignorant to know what that concept might be.

I added the action that presents the form to ssl_required. Form inputs
then once again appeared in the params hash.

My problem is no longer acute, but I don’t quite understand why the
solution works. Is it that the form isn’t presented as https, so the
form action isn’t https? And the form data gets lost in the ssl_required
redirection?

I’d really appreciate it if someone could relieve my conceptual block
here.

-- F

#3

On Thu, Dec 11, 2008 at 5:12 PM, Fritz A.
removed_email_address@domain.invalid wrote:

My problem is no longer acute, but I don’t quite understand why the
solution works. Is it that the form isn’t presented as https, so the
form action isn’t https? And the form data gets lost in the ssl_required
redirection?

You answered it for youself, if the form isn’t shown in a SSL context,
it will not post to a SSL page unless you make the form action point
to a SSL page. And post data is lost when you are redirected.

Maurício Linhares
http://alinhavado.wordpress.com/ (pt-br) | http://blog.codevader.com/
(en)