Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #10055 (new defect)

Opened 2 years ago

Last modified 2 years ago

in_place_editing plugin does not work with CSRF protection and does not evaluate the RJS response

Reported by: moses Assigned to: core
Priority: high Milestone: 2.x
Component: Plugins Version: edge
Severity: major Keywords:
Cc: jb@joergbattermann.com

Description

No modifications to work with CSRF protection were applied to the in_place_editing plugin, as a result it doesn't work at all with CSRF protection turned on.

Also, scriptaculous/prototype have moved away from the evalScripts option for Ajax.Request, the option is now htmlResponse (htmlResponse should be the opposite of the old evalScripts). As a result at the moment for some requests the RJS does not get evaluated and instead is inserted into the page as escaped text.

Attached is a patch that fixes both these issues in the plugin, including additional tests.

Also changed: added the :text_between_controls option available in modern scriptaculous, for rendering things like <input type="submit" value="Save"/> or <a href="whatever">cancel</a>.

Attachments

in_place_editing_should_work_with_csrf_and_rjs.patch (3.7 kB) - added by moses on 11/02/07 01:02:02.

Change History

11/02/07 01:02:02 changed by moses

  • attachment in_place_editing_should_work_with_csrf_and_rjs.patch added.

11/02/07 18:19:53 changed by krishna

+1

My only suggestion would be to change tests so that they can be run outside of a Rails project (like http://dev.rubyonrails.org/ticket/10059), but that is tangential to this patch, which seems great.

11/23/07 15:35:48 changed by scott_willson

+1

In place editing was broken in my app with edge; it works again with this patch. Plugin tests work before and after applying the patch.

01/03/08 14:34:09 changed by lemig

+1

Works fine for. Thanks you saved my day!

01/05/08 14:38:18 changed by sergiocambra

It works for me too. Using rails 2.0.2

01/06/08 02:01:36 changed by prochain

  • priority changed from normal to high.
  • severity changed from normal to major.

Works great. The same bit of code needs to be applied to the auto_complete plugin as well. Hope you don't mind, I'm increasing the severity and priority because these plugins are DOA on an out-of-the-box Rails installation. It's a minor fix but they don't work at all without it.

(follow-up: ↓ 7 ) 01/10/08 19:25:41 changed by gw234

  • version changed from edge to 2.0.1.

This is still not working for me in rails 2.0 even with the patch. My problem, and I'm wondering if this is shared, occurs when you are starting your in place editing on a field that is currently NULL and adding information to it. When I refresh the page and do an in place edit on a field that already contains data, I don't get the weird rendering of rjs in the field.

Really, this is a critical problem because a large number of uses for in place editing are to add information to fields that don't have information already. If you have a photo, and it has a description:NULL, you're going to run into a problem. One thing I was thinking of doing, that's purely a hack and I really don't want to is have default values like "Add a description" in the database :description column and then checking to see if description == "Add a description" to prevent people other than admin from seeing it.

(in reply to: ↑ 6 ) 01/10/08 19:31:12 changed by moses

  • version changed from 2.0.1 to edge.

Hey gw234,

Not sure your problem is related to this ticket, sounds like more of a general issue with in-place editing.

Replying to gw234:

This is still not working for me in rails 2.0 even with the patch. My problem, and I'm wondering if this is shared, occurs when you are starting your in place editing on a field that is currently NULL and adding information to it. When I refresh the page and do an in place edit on a field that already contains data, I don't get the weird rendering of rjs in the field. Really, this is a critical problem because a large number of uses for in place editing are to add information to fields that don't have information already. If you have a photo, and it has a description:NULL, you're going to run into a problem. One thing I was thinking of doing, that's purely a hack and I really don't want to is have default values like "Add a description" in the database :description column and then checking to see if description == "Add a description" to prevent people other than admin from seeing it.

(follow-up: ↓ 9 ) 01/10/08 19:39:12 changed by gw234

I thought the issue was rjs getting displayed instead of evaluated?

(in reply to: ↑ 8 ) 01/10/08 19:43:36 changed by moses

Replying to gw234:

I thought the issue was rjs getting displayed instead of evaluated?

The main issue was not working at all when the app is configured to use CSRF protection. It was also not evaluating the RJS. Are you saying even without the patch the RJS is now being evaluated in edge?

02/10/08 20:00:10 changed by zsombor

I've tried to fix this as a globally for all ajax requests in #11071, we should have this CSRF beast serving security in an invisible way without interfering with custom JS code.

02/13/08 22:00:00 changed by redinger

+1 I've been using this patch for a while.

04/10/08 23:32:06 changed by Syntaxius

Great work, I was really going nuts until I found this.

(follow-up: ↓ 14 ) 05/01/08 16:57:30 changed by etlund

This patch worked for me while the 'global' fix (#11071) did not. I'm on Rails 2.0.2.

(in reply to: ↑ 13 ) 05/01/08 20:06:56 changed by zsombor

Replying to etlund:

This patch worked for me while the 'global' fix (#11071) did not. I'm on Rails 2.0.2.

Etlund did you update your prototype.js file with the version patched by #11071 ?

06/25/08 23:34:51 changed by joerg.battermann

  • cc set to jb@joergbattermann.com.

+1.. would love to see this go 'live' in the plugin