Comments (13)
@duboff did you manage to get this to work? I tried everything from monkey patching to forking and removing the protect_from_forgery
directive as well as inheriting from ActionController::Base
. I always ended up with the following error:
{"status":500,"error":"Internal Server Error","exception":"#\u003cActionView::Template::Error: undefined local variable or method
new_query_path' for #\u003c#\u003cClass:0x007fb3f86eb2d0\u003e:0x007fb3f6e95a00\u003e\u003e","traces":{"Application Trace":[{"id":88,"trace":"appsignal (2.1.0) lib/appsignal/rack/rails_instrumentation.rb:16:in
call'"}]
Really hope someone has gotten Blazer to work with rails-api!
from blazer.
It probably makes sense to keep the application default, in which case you'd want to exclude verify_authenticity_token
from the skip_filter
list.
from blazer.
@ankane - Any hesitation accepting this PR? Would rather not be using a fork :)
from blazer.
Yeah, my previous comment was never addressed. Thinking about it again, I'm not sure it makes sense. What CSRF protection method would you use instead?
from blazer.
@ankane I am sorry for not following up on this but I did not quite understand what you meant in the previous comment. Would be very keen to reopen discussions. I would think Blazer should just respect the application default.
@gen0cide you don't necessarily need a fork. We just have a Blazer::BaseController with:
protect_from_forgery with: :null_session
from blazer.
Hey @duboff, no worries. How are you doing authentication?
from blazer.
We use Clearance gem for the admin pages which Blazer is a part of.
from blazer.
I'll follow up over email since this involves security.
from blazer.
We do have it working, however, @ankane has personally emailed me saying our solution is not great security-wise. I don't have any other one though. My solution is to have a controller app/controllers/blazer/base_controller.rb
with the following:
module Blazer
class BaseController < ApplicationController
# skip all filters
filters = _process_action_callbacks.map(&:filter)
if Rails::VERSION::MAJOR >= 5
skip_before_action(*filters, raise: false)
skip_after_action(*filters, raise: false)
skip_around_action(*filters, raise: false)
else
skip_action_callback *filters
end
protect_from_forgery with: :null_session # this is the hack
[ ... ] # remainder of the controller copied from Github
The only other solution is to switch off api_only
mode I believe.
from blazer.
@duboff Thanks for your fast reply, good to hear that you have it working.
I am using with Blazer 1.7.9 and added the controller override in /app/controllers/blazer/base_controller.rb
.
Even when using null_session
the controller depends on ActionController::RequestForgeryProtection
. Since this module is not included in the ActionController::API
base class the following error is thrown:
ActionController::RoutingError: undefined method
protect_from_forgery
.. so I included ActionController::RequestForgeryProtection
in the Blazer::BaseController
. Which yields:
ActionController::RoutingError: undefined method `layout'
At this point I believe the only option is to have the Blazer::BaseController
inherit from ActionController::Base
instead of ApplicationController
which has ActionController::API
as super. But this yields the following error again:
ActionView::Template::Error: undefined local variable or method `new_query_path'
Currently I don't think turning of api_only
is a solution. Maybe it should be possible to specify the engine's parent_controller like Devise or rails_admin? But in this case, the protect_from_forgery
line should be removed anyways.
from blazer.
Hmm, it's definitely working for us.
Probably a better solution is to separate blazer into a whole new app?
from blazer.
Great suggestion, why didn't I think of that 🤔
from blazer.
Cleaning up issues
from blazer.
Related Issues (20)
- Ambiguous BaseController HOT 1
- [idea] Implement autosave to local storage for queries HOT 1
- [Idea] ChatGPT integration HOT 1
- [idea] specify url options when crafting a url for slack notification HOT 1
- [Idea] Disable Smart Column per query HOT 1
- [Idea] Smart Columns from another data source HOT 1
- [3.0.0] Blank page on new query HOT 2
- [Idea, PR offer] Inheriting from ApplicationController can cause issues, consider configurable base controller? HOT 1
- suser specific db access HOT 1
- Queries with variables fail on Sqlite if prepared statements are disabled. HOT 2
- [Idea] change data_sorces based on some conditions
- Upgrade to latest from 2.6 HOT 1
- [Questions] Version control queries + Slack notification setup HOT 1
- Allow DB host with characters HOT 5
- [Idea] Using blazer with a DuckDB adapter HOT 1
- Trilogy adapter incompatible with non-ascii column names HOT 4
- [Idea] Cohort upgrades HOT 3
- Best practices in production
- TypeError: Vue is not a constructor HOT 4
- generating a variable based on request.host HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blazer.