As of Rails 2.2.2 you cant simply uncomment protect_from_forgery when you do “editing” requests (post,put,delete) e.t.c. I was using a shadow box which actually sends link via post requst and that was throwing infamous ActionController::InvalidAuthenticityToken so when you post through a link lets say you’d need to use a method called form_authenticity_token
However, even though this will solve your problems in the dev/prod envs, it still and issue in the rspec where you’d get something like:
ActionController::InvalidAuthenticityToken: No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)._
I found a working ( ugly looking but working ) solution here which basically suggests hardcoding secret key in the test env.
if RAILS_ENV =~ /test/
protect_from_forgery :secret => 'ed2931d45b59d748f3a34480a424f5cf'
else
protect_from_forgery
end