Rails noob confusion - HTML Form Post to Rails Controller?

Jferg · December 9, 2008, 9:34am

I have recently been learning and trying to develop some application
parts using Rails. One issue I may have is that one of the potential
clients will want to have one of their external web pages POST to the
Rails controller.

I tried the naive approach - copy the HTML generated for the Rails
controller action for doing the same POST (Create of a domain
object). I had this working, or so I thought until I restarted the
server and the hidden field for the application authenticity_token had
a value which was no longer valid.

I have looked around for various workarounds.

Is there a Rails Way to have an HTML page which is served as /
public/welcome.html be able to do an HTML POST to the Rails
controller?

Is this simply not allowed?

Thanks.

Jferg · December 9, 2008, 3:12pm

Its allowed. I think you may need to use something like the following:

protect_from_forgery :only => [:create, …]

Hope that helps.

Jferg · December 10, 2008, 4:15am

Hmmm… I am not sure. What I want is to use the create (post) from
outside of Rails from a page from another web app (not Rails). The
front end does the sign on and other stuff and we are like an add-on.
Does that make sense? Perhaps that is pure heresy and I should
provide a web service and have the “front end” page call that via
Ajax?

Apologies if that sounds stupid… I am assuming Rails is pretty
capable for implementing web services… except I thought I read I’d
have to step up and do the forgery protection and such myself.

John

Jferg · December 11, 2008, 6:47am

Hmmm… I am not sure. What I want is to use the create (post) from
outside of Rails from a page from another web app (not Rails). The
front end does the sign on and other stuff and we are like an add-on.
Does that make sense? Perhaps that is pure heresy and I should
provide a web service and have the “front end” page call that via
Ajax?
This sounds like an ideal case for a web service. Humm, it’s funny that
Rails 2.0 is all about making RESTful web services drop dead simple. You
can do your authentication using HTTP Basic Authentication (easy and
plenty secure for this need when used over SSL).

Scaffold generated code for the create method in the controller:

POST /people

POST /people.xml

def create
@person = Person.new(params[:person])

respond_to do |format|
  if @person.save
    flash[:notice] = 'Person was successfully created.'
    format.html { redirect_to(@person) }
    format.xml  { render :xml => @person, :status => :created,

:location => @person }
else
format.html { render :action => “new” }
format.xml { render :xml => @person.errors, :status =>
:unprocessable_entity }
end
end
end

The two lines beginning with format.xml {… are the important bits.
This allows you to create new people (in this example) using a REST
call. This can be done even from a command line using cURL or from
anything that can send an HTTP POST request. In response you get a nice
tidy XML document that you can use in the “client” application for
reporting the results to the user.