问题描述:

I'm trying to get a file upload progress bar working in a rails 3 app using uploadify (http://www.uploadify.com) and I'm stuck at authenticity tokens. My current uploadify config looks like

 <script type="text/javascript" charset="utf-8">

$(document).ready(function() {

$("#zip_input").uploadify({

'uploader': '/flash/uploadify.swf',

'script': $("#upload").attr('action'),

'scriptData': { 'format': 'json', 'authenticity_token': encodeURIComponent('<%= form_authenticity_token if protect_against_forgery? %>') },

'fileDataName': "world[zip]",

//'scriptAccess': 'always', // Incomment this, if for some reason it doesn't work

'auto': true,

'fileDesc': 'Zip files only',

'fileExt': '*.zip',

'width': 120,

'height': 24,

'cancelImg': '/images/cancel.png',

'onComplete': function(event, data) { $.getScript(location.href) }, // We assume that we can refresh the list by doing a js get on the current page

'displayData': 'speed'

});

});

</script>

But I am getting this response from rails:

Started POST "/worlds" for 127.0.0.1 at 2010-04-22 12:39:44

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/_trace.erb (1.0ms)

Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (6.6ms)

Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb within rescues/layout (12.2ms)

This appears to be because I'm not sending the authentication cookie along with the request. Does anyone know how I can get the values I should be sending there, and how I can make rails read it from HTTP POST rather than trying to find it as a cookie?

网友答案:

Skipping authenticity token checking is not ideal as it opens up XSS attack vectors. Another way to make this work is described here: http://metautonomo.us/2010/07/09/uploadify-and-rails-3/

Note that you may need to double url encode things. In the example the rails 'u' is being used as well as encodeURLComponent(). Howoever, if you have a more fancy/rails3 type set up and source the session data/authenticity token from meta tags in the page header, you will need to call encodeURLComponent() twice.

网友答案:

This seems to be a bug with rails 3.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/3913

This meant I had to change how I was skipping the authenticity token checking:

Changed from

protect_from_forgery :except => :upload

To

skip_before_filter :verify_authenticity_token, :only => :upload

Which seems to still work fine

网友答案:

well, i figured how to go around that. Is there a form on the view where you want to upload the files. If u do just use jquery to get the value of the hidden authenticity token and pass it into the scriptData var.

var token = ($('input[name=authenticity_token]').val());
scriptData : {'authenticity_token':token}

Hope this works for you.

相关阅读:
Top