I get a “undefined method `protect_against_forgery?’ for
#ActionView::Base:0x569a3d4” error when trying to generate a partial
from ‘outside’ the web site. I do this as I have a rake task that checks
for changes periodically in the background, and if it then sees a change
it rebuilds the partial and posts the result back to the user if he is
logged in.
(The posting by rake to the web site is done with juggernaut,but that’s
not the issue, the failure happens when trying to build the partial)
The building of the partial is achieved by instantiating Actionview in
the rake task, and it all worked fine until I introduced
‘drop_receiving_element’ into the partial that gets generated. The
latter seems to want to use protect_against_forgery? - which is not
available from the lib task.
I am feeling a bit out of my depth here.
Is it just a simple question of somehow including or requiring the
module that contains the protection stuff? How would I do this? Or is it
much more involved?
Is it just a simple question of somehow including or requiring the
module that contains the protection stuff? How would I do this? Or is it
much more involved?
Any suggestions would be welcome!
Thanks for reading this!
Pieter H.
I struggled with this once, but I got it work. So here we are!!
Rails has some inbuilt way of a protecting your application from malice.
The
action of “trying to generate a partial from ‘outside’ the web site”
needs
some aunthetication. When aunthetication is succesful, the Rails
application
generates a hidden input field that contains an authenticity_token. if
you
raise in your controller before a form post you will this param.
In your controller, there exists a “protect_from_forgery” statement that
checks for the presence of authenticity_token field and its value.
There are three ways to go about it. (At least these worked for me)
You need your rake task should auntheticate (I don’t know how but
it
should)
You can cheat it by adding a hidden authenticity_token input field
somewhere within the view that is triggered by this rake task. The
input
field can be as follows:
If all fails, just comment out the “protect_from_forgery” statement
in
your controller. But be aware of the security risks: Some people will
easily
trick the application and send data without aunthetication.