Bug: ActionController::InvalidAuthenticityToken in Hyrax::Dashboard::CollectionsController#update when updating banner.

[bwatson78]

Descriptive summary

When upgrading from Hyrax v3.2.0 to v3.3.0, we've encountered the following traceback

ActionController::InvalidAuthenticityToken
[actionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:215:in `handle_unverified_request'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:247:in `handle_unverified_request'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[devise (4.7.2) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:242:in `verify_authenticity_token'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:426:in `block in make_lambda'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:199:in `block in halting'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:513:in `block in invoke_before'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:513:in `each'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:513:in `invoke_before'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:131:in `run_callbacks'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/abstract_controller/callbacks.rb:41:in `process_action'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal/rescue.rb:22:in `process_action'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/notifications.rb:168:in `block in instrument'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/notifications/instrumenter.rb:23:in `instrument'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/notifications.rb:168:in `instrument'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:32:in `process_action'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal/params_wrapper.rb:256:in `process_action'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activerecord (5.2.6) lib/active_record/railties/controller_runtime.rb:24:in `process_action'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/abstract_controller/base.rb:134:in `process'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionview (5.2.6) lib/action_view/rendering.rb:32:in `process'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal.rb:191:in `dispatch'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_controller/metal.rb:252:in `dispatch'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:52:in `dispatch'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:34:in `serve'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/journey/router.rb:52:in `block in serve'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `each'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `serve'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:840:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/engine.rb:524:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/railtie.rb:190:in `public_send'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/railtie.rb:190:in `method_missing'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/routing/mapper.rb:19:in `block in <class:Constraints>'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/routing/mapper.rb:48:in `serve'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/journey/router.rb:52:in `block in serve'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `each'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `serve'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:840:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[xray-rails (0.3.2) lib/xray/middleware.rb:38:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[omniauth (1.9.1) lib/omniauth/strategy.rb:192:in `call!'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[warden (1.2.8) lib/warden/manager.rb:36:in `block in call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[warden (1.2.8) lib/warden/manager.rb:34:in `catch'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[warden (1.2.8) lib/warden/manager.rb:34:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/tempfile_reaper.rb:15:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/etag.rb:25:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/conditional_get.rb:38:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/head.rb:12:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/http/content_security_policy.rb:18:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/session/abstract/id.rb:259:in `context'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/session/abstract/id.rb:253:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/cookies.rb:670:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[active-fedora (13.2.4) lib/active_fedora/ldp_cache.rb:26:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[flipflop (2.6.0) lib/flipflop/feature_cache.rb:12:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activerecord (5.2.6) lib/active_record/migration.rb:559:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/callbacks.rb:98:in `run_callbacks'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[web-console (3.7.0) lib/web_console/middleware.rb:135:in `call_app'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[web-console (3.7.0) lib/web_console/middleware.rb:30:in `block in call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[web-console (3.7.0) lib/web_console/middleware.rb:20:in `catch'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[web-console (3.7.0) lib/web_console/middleware.rb:20:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/rack/logger.rb:38:in `call_app'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `block in tagged'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/tagged_logging.rb:28:in `tagged'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `tagged'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/rack/logger.rb:26:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[sprockets-rails (3.4.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[request_store (1.5.1) lib/request_store/middleware.rb:19:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/method_override.rb:22:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/runtime.rb:22:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack (2.0.9) lib/rack/sendfile.rb:111:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[honeybadger (4.7.0) lib/honeybadger/rack/error_notifier.rb:33:in `block in call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[honeybadger (4.7.0) lib/honeybadger/agent.rb:401:in `with_rack_env'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[honeybadger (4.7.0) lib/honeybadger/rack/error_notifier.rb:30:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[honeybadger (4.7.0) lib/honeybadger/rack/user_feedback.rb:31:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[honeybadger (4.7.0) lib/honeybadger/rack/user_informer.rb:21:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[webpacker (4.2.2) lib/webpacker/dev_server_proxy.rb:23:in `perform_request'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[rack-proxy (0.6.5) lib/rack/proxy.rb:57:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[railties (5.2.6) lib/rails/engine.rb:524:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[puma (3.12.6) lib/puma/configuration.rb:227:in `call'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[puma (3.12.6) lib/puma/server.rb:706:in `handle_request'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[puma (3.12.6) lib/puma/server.rb:476:in `process_client'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[puma (3.12.6) lib/puma/server.rb:334:in `block in run'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)
[puma (3.12.6) lib/puma/thread_pool.rb:135:in `block in spawn_thread'](http://localhost:3000/dashboard/collections/832r4xgxdm-cor?locale=en#)

from the request with the following parameters

{"utf8"=>"✓",
 "_method"=>"patch",
 "authenticity_token"=>"W2Om4dbyN9LRy9lF7D1lppF6uUgBCd0XJaY1Fy7D79tUQgIhIYceStx+HGKtM5nxVn1/NHlyaWn0gMZ1jE/kOQ==",
 "collection"=>
  {"title"=>"Music Fan-Art Posters-",
   "holding_repository"=>["Some Library", ""],
   "creator"=>["Various", ""],
   "abstract"=>"Posters honoring bands, created by fans.",
   "thumbnail_id"=>"692t4b8gv1-cor",
   "administrative_unit"=>[""],
   "contributors"=>[""],
   "primary_language"=>"",
   "finding_aid_link"=>"",
   "institution"=>"Emory University",
   "local_call_number"=>"",
   "keywords"=>[""],
   "subject_topics"=>[""],
   "subject_names"=>[""],
   "subject_geo"=>[""],
   "subject_time_periods"=>[""],
   "notes"=>[""],
   "rights_documentation"=>"",
   "sensitive_material"=>"",
   "internal_rights_note"=>"",
   "contact_information"=>"",
   "staff_notes"=>[""],
   "system_of_record_ID"=>"",
   "emory_ark"=>[""],
   "alt_title"=>[""],
   "source_collection_id"=>"",
   "deposit_collection_ids"=>[""],
   "visibility"=>"open"},
 "type"=>"",
 "stay_on_edit"=>"true",
 "collection_type_gid"=>"gid://dlp-curate/Hyrax::CollectionType/4",
 "collection_banner"=>"",
 "files"=>[""],
 "permission_template"=>{"access_grants_attributes"=>{"0"=>{"agent_type"=>"group", "agent_id"=>"", "access"=>""}}},
 "update_collection"=>"Save changes",
 "referer_anchor"=>"#branding",
 "locale"=>"en",
 "id"=>"832r4xgxdm-cor"}

I have managed to get banners to save by resetting the page's cache with the command-shift-r directive from a Mac, but this isn't ideal.

My running theory is that CSRF data isn't transferring to and from the AJAX processing of the Uploaded files. Adding remote: true somewhat fixed the behavior but also stopped the page from redirecting with any error messages that may occur elsewhere.

Rationale

This impedes the end user from saving any Uploaded File changes they make.

Expected behavior

Return a message banner stating that the Collection changes have been saved.

Actual behavior

Returns the Fatal Error above.

Steps to reproduce the behavior

1. accessing the Dashboard
2. choose to edit a collection from the collections index
3. select Branding
4. alter the banner in any fashion
5. Save Changes

Related work

N/A

[jlhardes]

Testing on nurax-dev is showing that when editing a Collection:

• if Branding has no files, a banner file can be uploaded and saved without errors

• if Branding has no files, a logo file can be uploaded and saved without errors

• if Branding has only a banner file, a logo file cannot be uploaded and saved, there is an "ArgumentError in Hyrax::Dashboard::CollectionsController#update" error and no logo file is there upon viewing Branding again

• if Branding has only a logo file, uploading a banner file will cause an "ArgumentError in Hyrax::Dashboard::CollectionsController#update" error on save but the banner file does actually upload and is viewable upon viewing Branding again

• if Branding has a logo file, uploading an additional logo file results in that same error and the additional logo file is not saved

@bwatson78 these are the same errors between the steps on nurax-dev but is it the same error you encountered?

The original steps to reproduce reflect that any action at all in Branding causes an error but if there are no Branding files for logo or banner, uploading one or the other does work without errors on nurax-dev.

[bwatson78]

@jlhardes It isn't the same error, but I may be able to give you a breadcrumb about the error you're receiving.

If you are upgrading versions, too, you may be encountering the same problems we saw earlier. It seems that the storage process for banners and other CollectionBrandingInfo objects moved from a FileUtils saving process (files that live directly in the app tree) to Valkyrie Storage objects. There wasn't any transitional processing created, so the choices are to remove all of the current objects and recreate them through the UI as Valkyrie Objects, or override and revert the CollectionBrandingInfo processing changes to maintain the already built objects.

[elrayle]

@jlhardes Is there an issue opened for the series of steps you describe? These do seem to be two different issues.

[elrayle]

Possibly related: Issue #5464 which gets an InvalidAuthenticityToken when trying to edit a collection type

[jlhardes]

Yes @elrayle I think what I am describing is a different issue that might be connected to #5464. Thanks for adding the valk label on this issue.

[elrayle]

Following steps to reproduce, I'm not able to see this issue on nurax-dev which is at Hyrax 3.3.0. I tested in Chrome.

@bwatson78

• What browser are you using?
• Was the error happening for a banner that was added pre-3.3.0 and then edited in 3.3.0?
• Do banners that were added pre-3.3.0 that haven't been edited working?

[bwatson78]

What browser are you using?: This was seen on both Chrome 98+ as well as Safari 15+.
Was the error happening for a banner that was added pre-3.3.0 and then edited in 3.3.0?: No, we removed and recreated all banners using the Valkyrie Storage after our push to 3.2.0, so this is happening during our regression testing for v3.3.0 as a new bug.
Do banners that were added pre-3.3.0 that haven't been edited working?: Same as above, banners were causing all sorts of errors before we removed them all and recreated them using the Valkyrie Storage Adapter.

[bwatson78]

I have found a fix that works: I've added data: { turbolinks: false } to all links going to the edit page for collection, stopping the cache loading of this page, fixing the InvalidAuthToken issue. I did this in app/views/hyrax/dashboard/collections/_show_actions.html.erb and app/views/hyrax/my/_collection_action_menu.html.erb. Thanks for your attention to this, though.

[cjcolvar]

Closed by #5523

[abelemlih]

✅ @jlhardes this ticket passed QA, and is ready to move to Done.