11

Updated:
Problem solved
I just had to put protect_from_forgery in the Users controller. Thanks to all.

Rails 4.0.2
When I try to create a new record in the users table i get this message in browser:

ActionController::InvalidAuthenticityToken in UsersController#create
ActionController::InvalidAuthenticityToken

But it happens in Chrome(32.0.1700.107) and Opera(12.16) browsers. In Firefox(27.0.1) and IE 10.0.13 all works fine. Maybe it does not matter, but i have to say that also i use has_secure_password(bcrypt_ruby).

Rails Log:

...
Started POST "/users" for 127.0.0.1 at 2014-02-19 10:26:05 +0400
Processing by UsersController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"93jpgxCSY3XzZkIJKraOodyObBoaPoPMVz3RiOVBL10=", "user"=>{"name"=>"", "surname"=>"", "patronymic"=>"", "email"=>"", "address"=>"", "phone"=>"", "phone2"=>"", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Создать пользователя"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 2ms

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  actionpack (4.0.2) lib/action_controller/metal/request_forgery_protection.rb:163:in `handle_unverified_request'
  actionpack (4.0.2) lib/action_controller/metal/request_forgery_protection.rb:170:in `handle_unverified_request'
  actionpack (4.0.2) lib/action_controller/metal/request_forgery_protection.rb:177:in `verify_authenticity_token'
...

View file users/new.html.slim:

= stylesheet_link_tag 'users'
.new_user_container
  = form_for @user do |f|
    = f.label "Имя"
    br
    = f.text_field :name
    br
    = f.label "Фамилия"
    br
    = f.text_field :surname
    br
    = f.label "Отчество"
    br
    = f.text_field :patronymic
    br
    = f.label "Пароль"
    br
    = f.text_field :password
    br
    = f.label "Подтверждение пароля"
    br
    = f.text_field :password_confirmation
    br
    br
    = f.submit "Создать пользователя"
ElCoyote
  • 311
  • 2
  • 11
  • to you have ` <%= csrf_meta_tags %>` this in your application.html.erb? – devanand Feb 19 '14 at 07:01
  • @devanand Yes, I do. But after removing of this line I get same error=( – ElCoyote Feb 19 '14 at 07:05
  • maybe this helps http://stackoverflow.com/questions/20875591/actioncontrollerinvalidauthenticitytoken-in-registrationscontrollercreate?rq=1 – devanand Feb 19 '14 at 07:10
  • try add this on `application_controller.rb` `protect_from_forgery with: :null_session` – Roman Kiselenko Feb 19 '14 at 07:23
  • 1
    or you can skip this filter `skip_before_action :verify_authenticity_token` – Roman Kiselenko Feb 19 '14 at 07:27
  • @devanand Thank you. I wrote `protect_from_forgery except: :create` and this helped. But i believe this wrong and dangerous way. – ElCoyote Feb 19 '14 at 07:28
  • yes you are right. it may works but it's not a good way because dangerous – devanand Feb 19 '14 at 07:32
  • @Monk_Code I have tried `protect_from_forgery except: :create` already and this works. Thank you. If this is bug of the Rails then i have no way to solve it. Only the turning off of this function. It's sad. – ElCoyote Feb 19 '14 at 07:36
  • this is no bug, it feature, read [this](https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L162) and [this](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html) – Roman Kiselenko Feb 19 '14 at 07:41
  • @Monk_Code In other words it means that it's a normal behaviour when 2 browsers from 4 does not supported. If so then i can only block this feature. Right? – ElCoyote Feb 19 '14 at 07:52
  • Yes. Different behavior browser normal thing(IMHO). – Roman Kiselenko Feb 19 '14 at 07:59
  • @Monk_Code @devanand hmm.. Oh my dog. It seems I had deceived myself. Just I had to place `protect_from_forgery` without any options in the controller `Users`. – ElCoyote Feb 19 '14 at 08:10

2 Answers2

7

I just had to put protect_from_forgery in the Users controller. Thanks to all.

class UsersController < ApplicationController
  protect_from_forgery

  def index
    #@users = User.all.includes(:roles)
    @users = User.all
  end
  def show

  end
  def new
    @user = User.new
  end
  def create
    @user = User.new user_params
    puts @user.errors.inspect
    if @user.save
      flash[:notice] = "Пользователь удачно создан"
      redirect_to :users
    else
      flash[:notice] = "Пользователь не создан"
      render file: :'users/user_error'
    end
    flash["notice"] = "Test notice"
    #redirect_to :users
  end
end
ElCoyote
  • 311
  • 2
  • 11
1

I met the same problem. This only happens in Chrome browser. But my problem lies in that I forbid the Cookies in Chrome's Content Settings. So just enable it, or select Clear on quit if you must forbid this.

NOTE: This setting is brought from the Chrome browser on another device of mine. If you login Chrome with your Google account, Chrome will synchronize your settings between devices. So it may be hard to be aware of the problem.

Hope this can help other people who meet this problem.

Cosmo
  • 836
  • 1
  • 12
  • 27