I have a rails application which I am planning to upgrade to rails 5. I am using devise(v4.2.0) along with rails(v5.0.0). As suggested in devise README.md file, I tried moving the protect_from_forgery above the before_filter but still when I am trying to login or update my bug I get an error ActionController::InvalidAuthenticityToken
My Application Controller
is
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception, prepend: true
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:name])
devise_parameter_sanitizer.permit(:account_update, keys: [:name])
end
end
And my other BugController
is
class BugsController < ApplicationController
protect_from_forgery prepend: true, with: :exception
before_action :authenticate_user!
before_action :set_bug, only: [:show, :edit, :update]
def update
respond_to do |format|
if @bug.update(bug_params)
format.html { redirect_to @bug, notice: 'Bug was successfully updated.' }
format.json { render :show, status: :ok, location: @bug }
else
format.html { render :edit }
format.json { render json: @bug.errors, status: :unprocessable_entity }
end
end
end
private
def bug_params
params.require(:bug).permit(:product, :component, :title, :description, :status_id, :created_by_id, :assigned_to_id)
end
end
As indicated in Devise documentation notes for Rails 5
For Rails 5, note that
protect_from_forgery
is no longer prepended to thebefore_action
chain, so if you have setauthenticate_user
beforeprotect_from_forgery
, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or useprotect_from_forgery prepend: true
.
Note : While this answer has the desired effect, it does so by reducing overall security. The below answer by Alon is more correct and maintains the security of the site.
class BugsController < ApplicationController
skip_before_filter :verify_authenticity_token
protect_from_forgery prepend: true, with: :exception
before_action :authenticate_user!
before_action :set_bug, only: [:show, :edit, :update]
end
Like This
I recently hit this in a fairly large way and I found that my error was my application's domain name had recently changed but I forgot to update session_store.rb. That may not be everyone's issue but it will report this as a CSRF error. So please check out config/session_store.rb
I have used something like this and it works for me.
class WelcomeController < ActionController::Base
protect_from_forgery with: :exception
before_action :authenticate_model!
end
This decision helped me. I took the decision [from here] [1]. just as for me, the unfortunate name of that topic, using the keywords of error I didn't get there, so I'll give in this thread, because here is the exact name of the error. in my case, I "added" the following line to the application_controller.rb
file:
protect_from_forgery with:: null_session
there is a solution where it says "REPLACE" line protect_from_forgery with:: exception
, if it exists, to the one I quoted above
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.