can't get in_place_edit to work in rails 2.0 => ActionController::InvalidAuthenticityToken

Hi,

I can't get in_place_edit to work in rails 2.0
when updating, it always fails with the error message

ActionController::InvalidAuthenticityToken

I have the following code in my controller:

class ArticlesController < ApplicationController
    in_place_edit_for :article, :title

and in my view:
<%= in_place_editor_field "article" , "title" %>

any ideas how to fix this?

thanks,
Marc

cookie_secret is set and temp/sessions is empty
but the problem is still there

any other ideas?

I guess the problem is the following:

When a form is being generated rails automatically adds something like
this:
<input type="hidden" value="11ff3908e6cd4be7b4041a93b783829ce6b12349"
name="authenticity_token"/>

The problem is that in_place_edit doesn't seem to be adding this to
the form and therefore the InvalidAuthenticityToken is being raised.

I wonder why noone else had that problem before (at least I didn'T
find anything about it)

Any idea how to get around that?

thanks

It seems like I either have to hack prototype to make it include the
authenticity token somehow (doesn't sound very appealing to me) or I
make rails not check the authenticity_token for that action (which I
dunno how to do and which would probably not be the best idea from a
security point of view)

Give it a try:

http://os.flvorful.com/super_in_place_controls

Give it a try:

http://os.flvorful.com/super_in_place_controls

I just tried it here:

<span class="inplace_span" id="guest_namen_1" onclick="Element.hide(this);$('guest_namen_1_form').show();" onmouseover="new Effect.Highlight(&quot;guest_namen_1&quot;,{});" title="Click to Edit">jochen</span><form action="/guests/set_guest_namen/1" class="in_place_editor_form" id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/guests/set_guest_namen/1', {asynchronous:true, evalScripts:true, onComplete:function(request){$('loader_guest_namen_1').hide();}, onLoading:function(request){$('guest_namen_1_form').hide(); $('loader_guest_namen_1').show();}, parameters:Form.serialize(this) + '&amp;authenticity_token=' + encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')}); return false;" style="display:none"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input class="inplace_text_field" id="guest_namen" name="guest[namen]" size="30" type="text" value="jochen" /><input class="inplace_submit" name="commit" type="submit" value="OK" /><a class="inplace_cancel" href="#" onclick="$('guest_namen_1_form').hide();$('guest_namen_1').show() ; return false;">Cancel</a></form><div class="inplace_loader" id="loader_guest_namen_1" style="display:none"><img alt="Spinner" src="/images/spinner.gif?1198155982" />&nbsp;&nbsp;<span>Saving...</span></div><br></br>

....seems to work...

thanks Jochen,

any idea if this works when I list multiple resources on the same
page?
For example, I have a project which has multiple stores and multiple
products, and needs a description per product per store. So I need to
pass the controller a store id and a product id, and then find the
description which matches or, alternatively, create one if one doesn't
exist.

From what I saw by just quickly looking at it this won't work with my
problem

I put the following in my controller this to make it skip the
authenticity_token check:

protect_from_forgery :only => [:create, :delete, :update]

I only have one field in this controller that uses in_place_editor, so
I put the update for that field in
it's own method.

My only concern is the security issues, but I haven't found another
way around this issue yet.

Tested workaround:

in_place_edit_for :annotation, :text
protect_from_forgery :except => [:set_annotation_text]

You can do something like this in your view to make your authenticity
token available to your javascript in your views.

<%= javascript_tag "window._token = '#{form_authenticity_token}'" %>

That will make your authenticity token available to your custom
javascript Ajax requests. If you're using prototype.js and you want to
do a custom PUT, you do something like this.

  new Ajax.Request ('/products/1', {
    method: 'put',
    parameters: 'product[name]=chair&authenticity_token=' +
window._token});

Thank you for that David. I have seen several questions around this
but afik yours is the first example of exactly how to include the
token in a js call - I'll give it a go.

Hi,

This is what I do:

I register a global javascript variable in my view let's say:
var authenticityToken = encodeURIComponent('<%=
form_authenticity_token %>')

Then I use it in my custom Protoyped Ajax calls:

parameters:'authenticity_token=' + authenticityToken

Hope this helps.

Cya

and, to make it work in test environment (where requests forgery
protection is disabled by default),
<%= javascript_tag "window._token = '#{form_authenticity_token}'" if
ActionController::Base.allow_forgery_protection %>

I just tried it here:

<span class="inplace_span" id="guest_namen_1"
onclick="Element.hide(this);$('guest_namen_1_form').show();"
onmouseover="new Effect.Highlight(&quot;guest_namen_1&quot;,{});"
title="Click to Edit">jochen</span><form action="/guests/
set_guest_namen/1" class="in_place_editor_form"
id="guest_namen_1_form" method="post" onsubmit="new Ajax.Request('/
guests/set_guest_namen/1', {asynchronous:true, evalScripts:true,
onComplete:function(request){$('loader_guest_namen_1').hide();},
onLoading:function(request){$('guest_namen_1_form').hide(); $
('loader_guest_namen_1').show();}, parameters:Form.serialize(this) +
'&amp;authenticity_token=' +
encodeURIComponent('08636d4bb04dee6871dd01cc4b86a559d5e1cf08')});
return false;" style="display:none"><div style="margin:0;padding:
0"><input name="authenticity_token" type="hidden"
value="08636d4bb04dee6871dd01cc4b86a559d5e1cf08" /></div><input
class="inplace_text_field" id="guest_namen" name="guest[namen]"
size="30" type="text" value="jochen" /><input class="inplace_submit"
name="commit" type="submit" value="OK" /><a class="inplace_cancel"
href="#" onclick="$('guest_namen_1_form').hide();$
('guest_namen_1').show() ; return false;">Cancel</a></form><div
class="inplace_loader" id="loader_guest_namen_1"
style="display:none"><img alt="Spinner" src="/images/spinner.gif?
1198155982" />&nbsp;&nbsp;<span>Saving...</span></div><br></br>

....seems to work...

You can also use the form_authenticity_token() function do generate it.

Like :
  <form action="/posts/search" method="get">
    <input name="q" type="text" value="">
    <input type="submit" value="Search" />
    <input type="hidden" value="<%= form_authenticity_token() %>"
name="authenticity_token"/>
  </form>

Duc Tom wrote:

You can also use the form_authenticity_token() function do generate it.

Like :
  <form action="/posts/search" method="get">
    <input name="q" type="text" value="">
    <input type="submit" value="Search" />
    <input type="hidden" value="<%= form_authenticity_token() %>"
name="authenticity_token"/>
  </form>

I just wanted to say THANK YOU for posting about
form_autheticity_token()!!! Being new to ruby/rails, I'm not used to a
lot of the methods or procedures used within the framework. I was stuck
on trying to od a simple search when this saved me.

Thanks again!

-Tony

Hi
   I m facing ActionController::InvalidAuthenticityToken problem.

   i m trying to communicate two WEBrick Server with Different port.

   I have 2 application
   1) Service
   2) Operation

   service is running on 3000 port no and operation is running on 4000
port no
   and i m trying to get the action of 3000 port from 4000 port. but
when i
   trying i m get this error . could any body help me please

Thanks in Advance
Harish

Hi

   I developed REST Application and i got success. but i want to
develop a
   REST application which can perform any arithematic operation.

   Not getting any idea . can any body explain me plz..........

Thanks in Advance
Harish