Hi,
I can't get in_place_edit to work in rails 2.0 when updating, it always fails with the error message
ActionController::InvalidAuthenticityToken
I have the following code in my controller:
class ArticlesController < ApplicationController in_place_edit_for :article, :title
and in my view: <%= in_place_editor_field "article" , "title" %>
any ideas how to fix this?
thanks, Marc
cookie_secret is set and temp/sessions is empty but the problem is still there
any other ideas?
I guess the problem is the following:
When a form is being generated rails automatically adds something like this: <input type="hidden" value="11ff3908e6cd4be7b4041a93b783829ce6b12349" name="authenticity_token"/>
The problem is that in_place_edit doesn't seem to be adding this to the form and therefore the InvalidAuthenticityToken is being raised.
I wonder why noone else had that problem before (at least I didn'T find anything about it)
Any idea how to get around that?
thanks
It seems like I either have to hack prototype to make it include the authenticity token somehow (doesn't sound very appealing to me) or I make rails not check the authenticity_token for that action (which I dunno how to do and which would probably not be the best idea from a security point of view)
Give it a try:
Give it a try:
I just tried it here:
<span class="inplace_span" id="guest_namen_1" onclick="Element.hide(this);$('guest_namen_1_form').show();" onmouseover="new Effect.Highlight("guest_namen_1",{});" title="Click to Edit">jochen</span><form action="/guests/set_guest_namen/1" class="in_place_editor_form" id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/guests/set_guest_namen/1', {asynchronous:true, evalScripts:true, onComplete:function(request){$('loader_guest_namen_1').hide();}, onLoading:function(request){$('guest_namen_1_form').hide(); $('loader_guest_namen_1').show();}, parameters:Form.serialize(this) + '&authenticity_token=' + encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')}); return false;" style="display:none"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input class="inplace_text_field" id="guest_namen" name="guest[namen]" size="30" type="text" value="jochen" /><input class="inplace_submit" name="commit" type="submit" value="OK" /><a class="inplace_cancel" href="#" onclick="$('guest_namen_1_form').hide();$('guest_namen_1').show() ; return false;">Cancel</a></form><div class="inplace_loader" id="loader_guest_namen_1" style="display:none"><img alt="Spinner" src="/images/spinner.gif?1198155982" /> <span>Saving...</span></div><br></br>
....seems to work...
thanks Jochen,
any idea if this works when I list multiple resources on the same page? For example, I have a project which has multiple stores and multiple products, and needs a description per product per store. So I need to pass the controller a store id and a product id, and then find the description which matches or, alternatively, create one if one doesn't exist.
From what I saw by just quickly looking at it this won't work with my problem
I put the following in my controller this to make it skip the authenticity_token check:
protect_from_forgery :only => [:create, :delete, :update]
I only have one field in this controller that uses in_place_editor, so I put the update for that field in it's own method.
My only concern is the security issues, but I haven't found another way around this issue yet.
Tested workaround:
in_place_edit_for :annotation, :text protect_from_forgery :except => [:set_annotation_text]
You can do something like this in your view to make your authenticity token available to your javascript in your views.
<%= javascript_tag "window._token = '#{form_authenticity_token}'" %>
That will make your authenticity token available to your custom javascript Ajax requests. If you're using prototype.js and you want to do a custom PUT, you do something like this.
new Ajax.Request ('/products/1', { method: 'put', parameters: 'product[name]=chair&authenticity_token=' + window._token});
Thank you for that David. I have seen several questions around this but afik yours is the first example of exactly how to include the token in a js call - I'll give it a go.
Hi,
This is what I do:
I register a global javascript variable in my view let's say: var authenticityToken = encodeURIComponent('<%= form_authenticity_token %>')
Then I use it in my custom Protoyped Ajax calls:
parameters:'authenticity_token=' + authenticityToken
Hope this helps.
Cya
and, to make it work in test environment (where requests forgery protection is disabled by default), <%= javascript_tag "window._token = '#{form_authenticity_token}'" if ActionController::Base.allow_forgery_protection %>
I just tried it here:
<span class="inplace_span" id="guest_namen_1" onclick="Element.hide(this);$('guest_namen_1_form').show();" onmouseover="new Effect.Highlight("guest_namen_1",{});" title="Click to Edit">jochen</span><form action="/guests/ set_guest_namen/1" class="in_place_editor_form" id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/ guests/set_guest_namen/1', {asynchronous:true, evalScripts:true, onComplete:function(request){$('loader_guest_namen_1').hide();}, onLoading:function(request){$('guest_namen_1_form').hide(); $ ('loader_guest_namen_1').show();}, parameters:Form.serialize(this) + '&authenticity_token=' + encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')}); return false;" style="display:none"><div style="margin:0;padding: 0"><input name="authenticity_token" type="hidden" value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input class="inplace_text_field" id="guest_namen" name="guest[namen]" size="30" type="text" value="jochen" /><input class="inplace_submit" name="commit" type="submit" value="OK" /><a class="inplace_cancel" href="#" onclick="$('guest_namen_1_form').hide();$ ('guest_namen_1').show() ; return false;">Cancel</a></form><div class="inplace_loader" id="loader_guest_namen_1" style="display:none"><img alt="Spinner" src="/images/spinner.gif? 1198155982" /> <span>Saving...</span></div><br></br>
....seems to work...
You can also use the form_authenticity_token() function do generate it.
Like : <form action="/posts/search" method="get"> <input name="q" type="text" value=""> <input type="submit" value="Search" /> <input type="hidden" value="<%= form_authenticity_token() %>" name="authenticity_token"/> </form>
Duc Tom wrote:
You can also use the form_authenticity_token() function do generate it.
Like : <form action="/posts/search" method="get"> <input name="q" type="text" value=""> <input type="submit" value="Search" /> <input type="hidden" value="<%= form_authenticity_token() %>" name="authenticity_token"/> </form>
I just wanted to say THANK YOU for posting about form_autheticity_token()!!! Being new to ruby/rails, I'm not used to a lot of the methods or procedures used within the framework. I was stuck on trying to od a simple search when this saved me.
Thanks again!
-Tony
Hi I m facing ActionController::InvalidAuthenticityToken problem.
i m trying to communicate two WEBrick Server with Different port.
I have 2 application 1) Service 2) Operation
service is running on 3000 port no and operation is running on 4000 port no and i m trying to get the action of 3000 port from 4000 port. but when i trying i m get this error . could any body help me please
Thanks in Advance Harish
Hi
I developed REST Application and i got success. but i want to develop a REST application which can perform any arithematic operation.
Not getting any idea . can any body explain me plz..........
Thanks in Advance Harish