0

I have a Message model that has an archived param in my Rails 4 app. In the show view, I have a button_to that sets the archived param to true. This function previously worked before I added Devise and a Mailer to the Message model. Now, when I click the "archive" button, I get an "ActionController::InvalidAuthenticityToken" error. The only thing I've found that avoids this error is adding skip_before_filter :verify_authenticity_token, :only => [:archive] to my Messages Controller. However, when I do that, it doesn't save the params.

Is there a way to pass the authenticity token through the button_to link? Or is there a better way of accomplishing this that doesn't compromise it's security?

Message.rb

class Message < ActiveRecord::Base

    validates_presence_of :name, :email, :message

    has_one :response

    scope :unread, -> { where(viewed: nil)}
    scope :viewed, -> { where(viewed: true)}
    scope :inbox, -> { where(archived: nil)}
    scope :archived, -> { where(archived: true)}

end

Messagescontroller.rb

class MessagesController < ApplicationController
include MessagesHelper

before_action :authenticate_admin!, :except => [:new]

def index
    @viewed = Message.viewed
    @unread = Message.unread
end

def new
    @message = Message.new
end

def create
    @message = Message.new(message_params)
    if @message.save(message_params)
        Messagemailer.message_created(@message).deliver_now
        redirect_to root_path
        flash.notice = "Message succesfully sent."
    else
        render "new"
        flash.alert = "There was a problem sending your message: "
        flash.alert += @message.errors.full_messages.join(", ")
    end
end

def edit
    @message = Message.find(params[:id])
end

def update
    @message = Message.find(params[:id])

    if @message.update(message_params)
        redirect_to message_path(@message)
        flash.notice = "Message succesfully sent."
    else
        render "edit"
        flash.alert = "There was a problem updating the message: "
        flash.alert += @message.errors.full_messages.join(", ")
    end
end

def view
    @message = Message.find(params[:id])
    @message.viewed = true
    if @message.save
        redirect_to message_path(@message)
    else
        flash.alert = "There was a problem viewing the message"
    end
end

def unview
    @message = Message.find(params[:id])
    @message.viewed = nil
    if @message.save
        redirect_to messages_path
    else
        flash.alert = "There was a problem un-viewing the message"
    end
end

def show
    @message = Message.find(params[:id])
end

def archive
    @message = Message.find(params[:id])
    if @message.save(:archived => true)
        redirect_to messages_path
    else
        flash.alert = "There was a problem archiving the message"
        render :show
    end
end


end

MessagesHelper.rb

module MessagesHelper

def message_params
    params.require(:message).permit(:name, :email, :subject, :message, :viewed, :responded, :archived)
end

end

Messages show button

<%= button_to 'Archive', message_archive_path(@message), :class => 'button' %></div>

Any help is appreciated! Thanks!

EDIT:

This apparently is true in all of my forms as well. Is this a Devise issue?

Josiah Palmer
  • 151
  • 1
  • 17
  • Never used button_to but it seems to me that this has more to do with CSRF than devise. It looks like button_to creates a mini-form that defaults to `method=post` but does not default to including the `authenticity_token` for CSRF protection. http://api.rubyonrails.org/classes/ActionView/Helpers/UrlHelper.html#method-i-button_to – Mitch Apr 28 '16 at 23:46
  • @Mitch - I discovered after posting this that all of my forms have this problem, including logging in and out of Devise. Any ideas on what may have caused that? – Josiah Palmer Apr 29 '16 at 00:55
  • After removing chunks of code and testing, I discovered that when I remove my mailer from my code it allows everything to work. I'm still not sure what exactly in the mailer setup is causing the issue though – Josiah Palmer Apr 29 '16 at 01:06

0 Answers0