When you use form_for in your view, a hidden authenticity_token is inserted for you, containing a long string used to validate your session. In certain conditions, notably AJAX, you may not use form_for and may get an InvalidAuthenticityToken exception, thrown from verify_authenticity_token.
Many articles suggest turning off protect_from_forgery where you need to, using a :only option. I would think twice before doing this. Instead, work to get a valid authenticity token into your request.
First, if you have a form handy, you have to put it into your prototype Ajax.Request as a parameter:
token = el.getAttribute('value')
new Ajax.Request('/lesson_plans/update/'+parent_id, {
method: 'put',
parameters: 'course_sequence=' + newval + "&authenticity_token=" + token
});
Here, the authenticity token is taken from element el, and added as a parameter to the Ajax.Request.
If you do not have a form handy, you can add your own, using the helper form_authenticity_token in your view:
<div token="<%= protect_against_forgery?() ? form_authenticity_token() : "" %>">
This will produce an authenticity token (identical to one which would appear in a form) and places it in a token attribute of a div if forgery protection is activated. Using a method similar to above, the attribute may be extracted and added to the request.
Happy coding
No comments:
Post a Comment