Forum: Radiant CMS page_attachments / :secret / #protect_from_forgery error

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Bd4c152cdbb373a32ee24d0990cb52d2?d=identicon&s=25 Steven Line (sline)
on 2008-11-19 04:10
Hi -

I am haunted by this :secret / #protect_from_forgery /
form_authenticity_token error that seems to stop me every few months.
Luckily it has been in remission for a few months.  I just had a few
hours to finish this site and whammo! Up pops this much feared error.

The cause is that I installed attachment_fu and page_attachments into my
Radiant app.  The installs went smoothly until I tried to edit a page.
Then I got this error:

----------------------------------------------------------------
    ActionController::InvalidAuthenticityToken in Admin/page#edit

   Showing vendor/extensions/page_attachments/app/views/admin
/page/_attachments_box.html.erb where line #7 raised:

   No :secret given to the #protect_from_forgery call.  Set that or use
a session store capable of generating its own keys (Cookie Session
Store).
----------------------------------------------------------------

I'm using Active Record Session Store and I don't much care for Cookie
session store because it limits what I can stick in the session. I have
a :secret defined in my environment.rb and I also have

    config.action_controller.allow_forgery_protection = false

in there.  Could somebody tell me how to fix this or point me to
resources to learn about the forgery protection stuff?

(In the mean time I'm googling this topic)

Thank you.

Steve
Bd4c152cdbb373a32ee24d0990cb52d2?d=identicon&s=25 Steven Line (sline)
on 2008-11-19 04:52
This link appears that it will help.  I would prefer to build sites
without learning anything but sometimes I am forced.

http://api.rubyonrails.org/classes/ActionControlle...
Bd4c152cdbb373a32ee24d0990cb52d2?d=identicon&s=25 Steven Line (sline)
on 2008-11-19 05:16
Geez, I don't know what just happened here, but I stuck this line of
code in some obscure file I didn't even know existed and it fixed my
problem.

I stuck this line of code:

   protect_from_forgery :secret =>
'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index

into my

   radiant-0.6.9/app/controllers/admin/page_controller.rb

and the error went away.
8802b1fa1b53e2197beea9454244f847?d=identicon&s=25 Sean Cribbs (seancribbs)
on 2008-11-19 05:42
(Received via mailing list)
For some reason, the CSRF protections in Rails require that if you use
:active_record_store for sessions, the key given in your config setting
must be equivalent to the key given in the call to protect_from_forgery
in the controller.  One way around this might be to add an
after_initialize block like so:

config.after_initialize do
    ActionController::Base.request_forgery_protection_options.update
:secret => 'putyourreallylongsha1hashkeyhere'
end

Sean
46b3e609ef3b3629f6b58225fa3038cf?d=identicon&s=25 Victor Zuniga (Guest)
on 2008-11-19 16:16
(Received via mailing list)
It seems Rails just patched a CSRF vulnerability yesterday.



http://weblog.rubyonrails.com/2008/11/18/potential...
tection-in-rails-2-1



Victor



On 11/18/08 11:41 PM, "Sean Cribbs" <seancribbs@gmail.com> wrote:

>
>> 'asdfqwexxcoivswhallelujah!yippee!fqewwel', :except => :index
> Radiant mailing list
> Post:   Radiant@radiantcms.org
> Search: http://radiantcms.org/mailing-list/search/
> Site:   http://lists.radiantcms.org/mailman/listinfo/radiant

Victor Zuniga
Westerville Public Library
126 S. State St. | Westerville, OH 43081
Phone: 614.882.7277 | ext 165
This topic is locked and can not be replied to.