I'm trying to get a file upload progress bar working in a rails 3 app using uploadify (http://www.uploadify.com) and I'm stuck at authenticity tokens. My current uploadify config looks like
<script type="text/javascript" charset="utf-8">$(document).ready(function() {
$("#zip_input").uploadify({
'uploader': '/flash/uploadify.swf',
'script': $("#upload").attr('action'),
'scriptData': { 'format': 'json', 'authenticity_token': encodeURIComponent('<%= form_authenticity_token if protect_against_forgery? %>') },
'fileDataName': "world[zip]",
//'scriptAccess': 'always', // Incomment this, if for some reason it doesn't work
'auto': true,
'fileDesc': 'Zip files only',
'fileExt': '*.zip',
'width': 120,
'height': 24,
'cancelImg': '/images/cancel.png',
'onComplete': function(event, data) { $.getScript(location.href) }, // We assume that we can refresh the list by doing a js get on the current page
'displayData': 'speed'
});
});
</script>
But I am getting this response from rails:
Started POST "/worlds" for 127.0.0.1 at 2010-04-22 12:39:44ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/_trace.erb (1.0ms)
Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (6.6ms)
Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb within rescues/layout (12.2ms)
This appears to be because I'm not sending the authentication cookie along with the request. Does anyone know how I can get the values I should be sending there, and how I can make rails read it from HTTP POST rather than trying to find it as a cookie?
Skipping authenticity token checking is not ideal as it opens up XSS attack vectors. Another way to make this work is described here: http://metautonomo.us/2010/07/09/uploadify-and-rails-3/
Note that you may need to double url encode things. In the example the rails 'u' is being used as well as encodeURLComponent(). Howoever, if you have a more fancy/rails3 type set up and source the session data/authenticity token from meta tags in the page header, you will need to call encodeURLComponent() twice.
This seems to be a bug with rails 3.
https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/3913
This meant I had to change how I was skipping the authenticity token checking:
Changed from
protect_from_forgery :except => :upload
To
skip_before_filter :verify_authenticity_token, :only => :upload
Which seems to still work fine
well, i figured how to go around that. Is there a form on the view where you want to upload the files. If u do just use jquery to get the value of the hidden authenticity token and pass it into the scriptData var.
var token = ($('input[name=authenticity_token]').val());
scriptData : {'authenticity_token':token}
Hope this works for you.