render_component icon indicating copy to clipboard operation
render_component copied to clipboard
verified publisher icon vhochstein

Strange bug fixed

Open scambra opened this issue 14 years ago • 3 comments

All requests should be get, it was failing due to forgering protection when a post request use render_component

For example using render :active_scaffold in the layout, when a post request fails due to validation errors, render_component fails due to forgery protection, clears your session, and it will logout you for example.

scambra avatar Sep 02 '11 13:09 scambra

But does nt that change the request completely, I mean a post is nt a get?

vhochstein avatar Sep 02 '11 13:09 vhochstein

I will explain in more detail: I have a layout with render :activescaffold => :controller, :params => {:action => :new} to show a quick form to create a model. To render a new action the request must be a GET.

In a get request, index for example, it works right. But in a post request, when it renders the layout, render_component tries to render the new action as a post request, then it tries to check forgery protection and it fails.

scambra avatar Sep 05 '11 07:09 scambra

I think this make sense... it's not a real request, the server does not get called, like with JS:remote:true (I think) instead, it is just calling the code in ruby process. So if the HTTP_METHOD must be hard-coded to GET

I don't see a problem.

Except that I don't think I needed to make this change, would it be possible to write a test to reproduce the problem?

mathieujobin avatar Feb 04 '21 05:02 mathieujobin