#6617 rails 3.0.5 problem with csrf_meta_tag - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#6617 ✓invalid

rails 3.0.5 problem with csrf_meta_tag

Reported by rdinca | March 24th, 2011 @ 05:03 PM

I updated the bundle and after that, an update action of mine stopped working properly. There was no error in the logs(but nothing was updated), and when I tried to access another page (html) , i was automatically logged out. So I searched with firebug, and saw a 401 error, Unauthorized access or so, so I tried :
skip_before_filter :verify_authenticity_token, :only => "update"

and things worked again. Now I reverted to 3.0.3 and it works without skipping the filter, so something must have happened in the transition from 3.0.3 to 3.0.5 with csrf_meta_tag, probably not being sent properly or something!

Comments and changes to this ticket

Andrew White March 24th, 2011 @ 05:17 PM
- State changed from “new” to “needs-more-info”
- Importance changed from “” to “Low”
Are you using ajax requests? Is it possible that you're being affected by this change: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ru...

You don't mention what you're using for authentication - if you're using devise then you need to update to at least 1.1.6 to take account of the change in 3.0.4:
https://github.com/plataformatec/devise/blob/v1.1/CHANGELOG.rdoc
You flagged this item as spam.
rdinca March 25th, 2011 @ 08:26 AM
Yes, I am using Ajax requests... and that change might have affected me, but I used rake rails:update command and now I am getting an error in rails.js.
Uncaught TypeError: Object # has no method 'on'
(anonymous function)rails.js:128 (anonymous function)

And indeed, I do use devise for authentication, but 1.2rc2 ... so > 1.1.6.

I also add that I am using jquery, so the new error might be related to not having the proper rails.js ... but where do I get the one for jquery from, if there is one for 3.0.5 ?
You flagged this item as spam.
rdinca March 25th, 2011 @ 08:35 AM
Oh .. I forgot I was using jquery-rails gem for that ... after a rails g jquery:install, things started working ok.
Andrew White March 25th, 2011 @ 09:28 AM
- State changed from “needs-more-info” to “invalid”