undefined method `protect_against_forgery?' for #<ActionView

Hi guys

This is a pretty tricky one.

I get a "undefined method `protect_against_forgery?' for #<ActionView::Base:0x569a3d4>" error when trying to generate a partial from 'outside' the web site. I do this as I have a rake task that checks for changes periodically in the background, and if it then sees a change it rebuilds the partial and posts the result back to the user if he is logged in.

(The posting by rake to the web site is done with juggernaut,but that's not the issue, the failure happens when trying to build the partial)

The building of the partial is achieved by instantiating Actionview in the rake task, and it all worked fine until I introduced 'drop_receiving_element' into the partial that gets generated. The latter seems to want to use protect_against_forgery? - which is not available from the lib task.

I am feeling a bit out of my depth here.

Is it just a simple question of somehow including or requiring the module that contains the protection stuff? How would I do this? Or is it much more involved?

Any suggestions would be welcome!

Thanks for reading this!

Pieter Hugo

I struggled with this once, but I got it work. So here we are!!

Rails has some inbuilt way of a protecting your application from malice. The action of “trying to generate a partial from ‘outside’ the web site” needs some aunthetication. When aunthetication is succesful, the Rails application generates a hidden input field that contains an authenticity_token. if you raise in your controller before a form post you will this param.

In your controller, there exists a “protect_from_forgery” statement that checks for the presence of authenticity_token field and its value.

There are three ways to go about it. (At least these worked for me)

  • You need your rake task should auntheticate (I don’t know how but it should)

  • You can cheat it by adding a hidden authenticity_token input field somewhere within the view that is triggered by this rake task. The input field can be as follows:

  • If all fails, just comment out the “protect_from_forgery” statement in your controller. But be aware of the security risks: Some people will easily trick the application and send data without aunthetication.

Kind regards,