I've almost entirely converted a rails 2.3.5 app to 3pre. I'm having
some trouble with protect_from_forgery. I had protect_from_forgery set
in application_controller.rb, but run some uploadify ajax stuff in one
of my controllers, where I had protect_from_forgery, :except
=> :add_file set.
In rails 3 I'm getting ActionController::InvalidAuthenticityToken on
the ajax upload unless I turn off protect_from_forgery completely in
application_controller.rb. Seems like the exception in my FileUpload
controller (protect_from_forgery :except => :add_file) isn't taking.
Has anyone else experienced this. Should I report a bug or am I doing
something wrong?
I'm experiencing the same issue when implementing Uploadify into a
Rails 3.0.0.beta2 application. A comment and a question:
1) You shouldn't need to disable protect_from_forgery for uploads if
you pass your session data to Uploadify, then back to Rails when you
do the upload. But for the time being, disabling protect_from_forgery
is the only way I've been able to get Uploadify to work too.
2) In order to insert middleware in Rails 3, add the following to
config/application.rb:
However, ActionController::Base.session[:key] is no longer where
session information is stored. I've tried accessing it with it with
Rails.application.config.session_store[:key], looked through the
source and docs.
