I was curious what that meant in general.
But here is the specifics..
I'm doing a sortable jquery project, that touches this rails action :
def update_order
params[:media].each_with_index do |id, index|
media = @organization.media.find(id)
media.do_not_touch = true
media.update_attribute('position', index+1)
end if params[:media]
render :nothing => true
end
I'm just looking for a general reason why this error comes up.
Normal Rails form helpers will inject a hidden authenticity token into the form. When you roll your own, such as what you're probably doing for this Ajax code, you probably haven't added the token.
This old post has some good tips that may help you, depending on if you really care about using that token, or just want to turn it off for that action.
Rails automatically checks for forged data when data is submitted. From the doc:
Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn‘t know) in all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller
You can disable this for the given Ajax call, or you could also send along a parameter named "authenticity_token" with the value of <%= form_authenticity_token %>
To disable it (which I would NOT recommend), you can do one of the following:
class FooController < ApplicationController
protect_from_forgery :except => :update_order
# you can disable csrf protection on controller-by-controller basis:
skip_before_filter :verify_authenticity_token
end
I put this line to the form : " <%= tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) %>"
But it still doesn't work. Don't know why