Turning this protection off (with care and alternative protection measures, I suggest!) on specific actions is possible. This is an example.
protect_from_forgery :except => [:process_payment]
<
Showing posts with label rails. Show all posts
Showing posts with label rails. Show all posts
Thursday, November 19, 2009
Open up your pages for outside requests
My previous post helps to POST a form to another site. Rails (in the current version anyway!) includes a basic solution to make XSS (Cross Site Scripting) or CSRF (Cross-Site Request Forgery) harder. In the application controller the protect_from_forgery method checks requests via a token. Of course from the outside you're not able to provide the right token...
Turning this protection off (with care and alternative protection measures, I suggest!) on specific actions is possible. This is an example.
<
Turning this protection off (with care and alternative protection measures, I suggest!) on specific actions is possible. This is an example.
<
Wednesday, November 4, 2009
observe_field in rails (2.3.4)
The last two days I was busy finding out why my field observer didn't work. I followed the book (AWDR3) but somehow it failed.
I used a controller on a sublevel (pim/offers) and that made things a bit harder. I wanted to add an action which wasn't found. I had to add it to the routes.rb (via the :collection argument!). The default expected method is :post, so take care of that.
For the observer I needed, I had to provide the year and month fields. The book gave a option of concatenating some things. This is by the way where I lost a lot of time, the books "encodeURIComponent(value)" part was not copied exactly by me I started with an Uppercase E. After more then a day I found it, yeah!
After I found that nasty error I was looking for a way to pass multiple parameters. I found this: "Form.serializeElements($('month_date', 'year_date'))". You provide a comma seperated list of id's and their values are serialized for you.
Below the copied part of a working piece of a rails based field observer.
Hope I helped some people with this post. Good luck!
<
I used a controller on a sublevel (pim/offers) and that made things a bit harder. I wanted to add an action which wasn't found. I had to add it to the routes.rb (via the :collection argument!). The default expected method is :post, so take care of that.
For the observer I needed, I had to provide the year and month fields. The book gave a option of concatenating some things. This is by the way where I lost a lot of time, the books "encodeURIComponent(value)" part was not copied exactly by me I started with an Uppercase E. After more then a day I found it, yeah!
After I found that nasty error I was looking for a way to pass multiple parameters. I found this: "Form.serializeElements($('month_date', 'year_date'))". You provide a comma seperated list of id's and their values are serialized for you.
Below the copied part of a working piece of a rails based field observer.
<%= observe_field :month_date, :update => "list",
:before => "Element.show('spinner')",
:complete => "Element.hide('spinner')",
:url => {:action => :month_offers, :only_path => false},
:with => "Form.serializeElements($('month_date', 'year_date'))"
%>
Hope I helped some people with this post. Good luck!
<
Subscribe to:
Posts (Atom)