I use rails 3.2.9 in webrick. My site seems to vulnerable to CSRF.
I have already added <%= csrf_meta_tags %> to the layout file..
And added the Protect_from_forgery in my application controller..
but when i try to make a Post request from a form in another domain, it's possible.. My site still seems to be vulnerable to CSRF..
I'm struck, wondering how to proceed! Pls help me out
Related
I can't seem to find an answer to what should be simple. I'm using Serve, which runs on a WEBRick server. I'd like to be able to grab the current page's URL. How would I do that?
Since Serve uses Rack under the hood, try this in a view:
<%= request.url %>
My rails web app isn't showing my embedded rails & ruby properly in its views when pushed to Heroku. It works fine on the localhost. For example in my nav bar:
<ul class="nav pull-right">
<li><%= link_to current_user.first_name, user_url(current_user) %></li>
<li><%= link_to "Sign Out", session_url, method: :delete %></li>
</ul>
The first link_to tag in dev displays the signed in user's first name. When pushed to Heroku it displays the link's url not the user's first name. The link works exactly the same way in both and I don't receive any errors. Additionally, on the user's profile page it doesn't display data stored in the database but in development it does properly.
I've googled around but haven't found anyone documenting a similar problem. I created a completely different heroku app and the same problem persists.
Any advice or guidance to how to fix it would be greatly appreciated!
Thank you!
There was old attr_accessors in a duplicate model that prevented the data from being saved properly but allowing the object itself to be saved. Removing this old code enabled the production version to work properly.
I've added modernizr-rails to my rails project, and it seems to load fine (I can access Modernizr in a debug javascript console). According to the documentation, I added the include tag to the html head section like so:
<%= javascript_include_tag :modernizr %>
But it seems to load after my application javascript file (app/assets/javascripts/app.js), causing any reference to it to fail.
It's a mostly fresh new rails project, is there anything I'm missing? Or am I meant to wait for the document loaded event before calling Modernizr anyway?
Oops, yes there was something missing. I had put the javascript_include_tag :modernizr code in my template, rather than the application layout (app/views/layouts/application), which defines the html head for all templates in the app.
I would like to use Ujs in my rails 3 app.
Can any one explain me about obtrusive and unobtrusive javascripts in rails?
why does rails 3 before versions don't support ujs ?
Rails has had javascript helpers since early versions.
The difference since Rails 3 is that now it's unobtrusive, by unobtrusive it means that functionality its separated from content.
For example the following:
<%= link_to "Delete", resource_path(#resource), :method => "delete", :confirm => "Are you sure?" %>
Would render pre Rails 3
Delete
With Rails 3 UJS
Delete
The difference is that unobtrusive javascript is handled without inline code in the views and passed through the "data" attributes and taken care of in the background with other default JS that is in your app that picks up this data attributes and runs the corresponding JS code.
UJS is also commonly used for making remote (AJAX) calls using :remote => "true" or link_to_remote.
More info on that here: AJAX on Rails
Basically UJS means that the javascript helpers included in Rails such as confirmation, and AJAX, among others are separated from the view code (HTML).
UJS helpers can also be easily switched out for example if you prefer to use Prototype you could switch easily from jQuery while keeping the helpers functionality.
Why Rails older versions didn't support UJS, is because it just wasn't built in at the time, so it was done with inline JS.
I am having problems setting rjs up and I don't know the right way to code this for rails 2.3.14
Are they (link_to_remote and link_to with :remote > true) the same or do they reflect rails versions or are they in fact different?
I am using prototype, as required by my company (so jquery is not an option).
I also see that there is link_to_function so I am really not sure what the right approach is!
link_to :remote => true is a Rails 3 convention and doesn't work in Rails 2. Since you are using Rails 2.3 you'll want to use link_to_remote for ajax calls.
link_to_function is used for when you want some javascript to run when a link is clicked and not necessarily an ajax call to the server. Stuff like showing/hiding elements on a page.