Open lalithr95 opened 8 years ago
Hi, Lalith - will this be a help-wanted
tag? Maybe we should add links to
CSRF token controller code. I also believe that rails.js (
https://github.com/rails/jquery-ujs) has csrf token functions built in.
Note also that a CSRF token is sent with inline image uploads on the old system, at https://publiclab.org/post/ --
https://github.com/publiclab/plots2/issues/739 shows how I'm trying to ensure this works in the new Rich Editor as well.
On Sun, Aug 28, 2016 at 2:33 PM, Lalith Rallabhandi < notifications@github.com> wrote:
What happened just before the problem occurred
This could be added as sub-project for next GSOC. Most of the forms used in PublicLab doesn't contain csrf token parameter as we don't use rails form helpers form_tag form_for
It could be nice to replace <form tag with form_tag with will add csrf token automatically. Once if you can get work with one form and get it working, it would be same for other forms as well. Solving this issue could actually introduce you to different views and features of PublicLab. Tests
As functional tests doesn't have csrf enabled. you need to add a test something like below one to test csrf protection.
test "#generate_token ensures CSRF protection" do assert_raise ActionController::InvalidAuthenticityToken do with_forgery_protection do post :some_action, authenticity_token: :random end end private def with_forgery_protection old_value = ActionController::Base.allow_forgery_protection ActionController::Base.allow_forgery_protection = true yield ensure ActionController::Base.allow_forgery_protection = old_value end
PublicLab.org username
Lalithr95 (to help reproduce the issue)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/744, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ6SxoImyUMs0npDyKZl0sFGeFZ8eks5qkdSBgaJpZM4Ju_EV .
@jywarren do we need this issue?
I think it's a good idea for someone to go through and ensure we are using this properly; best keep open. Thanks!
On Mon, Mar 25, 2019 at 2:45 PM Gaurav Sachdeva notifications@github.com wrote:
@jywarren https://github.com/jywarren do we need this issue?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/publiclab/plots2/issues/744#issuecomment-476328950, or mute the thread https://github.com/notifications/unsubscribe-auth/AABfJ_12idnyf_FvEfN4bozlmJbEU8RYks5vaRkcgaJpZM4Ju_EV .
Isn't CSRF protection in-built to Rails?
Also, in application_controller.rb
, we have
protect_from_forgery unless: -> { is_dataurl_post }
In app/views/comments/_form.html.erb
, in the form we have
<input
type="hidden"
name="authenticity_token"
value="<%= form_authenticity_token %>"
/>
Is this how it should be extended to other forms?
What happened just before the problem occurred
This could be added as sub-project for next GSOC. Most of the forms used in PublicLab doesn't contain csrf token parameter as we don't use rails form helpers
form_tag
form_for
It could be nice to replace
<form
tag withform_tag
with will add csrf token automatically. Once if you can get work with one form and get it working, it would be same for other forms as well. Solving this issue could actually introduce you to different views and features of PublicLab.Tests
As functional tests doesn't have csrf enabled. you need to add a test something like below one to test csrf protection.
PublicLab.org username
Lalithr95 (to help reproduce the issue)
cc: @jywarren