设计+ Rails 3.0.4 在 AJAX 请求后结束会话

发布于 2024-10-31 09:47:05 字数 1091 浏览 2 评论 0原文

我有一个由 Ajax.InPlaceEditorInPlaceCollectionEditor 生成的 AJAX 请求触发的操作,如下所示:

new Ajax.InPlaceCollectionEditor('agent_email', 'inspections/<%= @inspection.id %>/update_field', 
{
collection: [<% @agents.each do |agent| %>
        '<%= agent.email %>',           
        <% end %>],
    okText: 'Update',
    cancelText: 'Never mind',
    savingText: 'Updating...'

});

在另一端,操作包含以下内容:

def update_field
  --some code here--
  if success
    puts "stored change"
    render :text => result
  else
    puts "did note change store"
    render :text => inspection.errors.to_json, :status => 500
  end
end

一旦任何渲染方法被调用,达到时,会话过期,下次用户发送请求时,Devise 将它们发送到登录页面。

即使我从身份验证中免除 update_field (before_filter :authenticate_user!, : except => :update_field),会话仍然会被重置。

我查看了一个非常类似问题的答案 设计会话立即过期在 .js 上调用 [AJAX],但这并不能解决我的特定问题。

有什么想法吗?

I have an action triggered by an AJAX request generated by Ajax.InPlaceEditor or InPlaceCollectionEditor like this:

new Ajax.InPlaceCollectionEditor('agent_email', 'inspections/<%= @inspection.id %>/update_field', 
{
collection: [<% @agents.each do |agent| %>
        '<%= agent.email %>',           
        <% end %>],
    okText: 'Update',
    cancelText: 'Never mind',
    savingText: 'Updating...'

});

At the other end, the action contains this:

def update_field
  --some code here--
  if success
    puts "stored change"
    render :text => result
  else
    puts "did note change store"
    render :text => inspection.errors.to_json, :status => 500
  end
end

Once any of the render methods are reached, the session expires, and next time the user send a request, Devise sends them to the logon on page.

Even though I am exempting update_field from authentication (before_filter :authenticate_user!, :except => :update_field), the session is still getting reset.

I have looked at the answer at a very similar question at Devise session immediately expiring on .js call [AJAX], but it is not solving my particular problem.

Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

玩心态 2024-11-07 09:47:05

我通过从 http:// weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails (prototype-snippet.js):

/*
 * Registers a callback which copies the csrf token into the
 * X-CSRF-Token header with each ajax request.  Necessary to 
 * work with rails applications which have fixed
 * CVE-2011-0447
*/

Ajax.Responders.register({
onCreate: function(request) {
  var csrf_meta_tag = $('meta[name=csrf-token]')[0];

  if (csrf_meta_tag) {
    var header = 'X-CSRF-Token',
        token = csrf_meta_tag.readAttribute('content');

    if (!request.options.requestHeaders) {
      request.options.requestHeaders = {};
    }
    request.options.requestHeaders[header] = token;
  }
}
});

...在我的 application.html 的 Javascript 块内。 erb:

<script type="text/javascript">
  (... the code from above)
</script>

也不要忘记

<%= csrf_meta_tag %>

在同一文件的顶部添加:(如果还没有)。

文档“Ruby on Rails 中的 CSRF 保护绕过 ”解释了为什么这有效。

I got this to work by getting the code from http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails (prototype-snippet.js):

/*
 * Registers a callback which copies the csrf token into the
 * X-CSRF-Token header with each ajax request.  Necessary to 
 * work with rails applications which have fixed
 * CVE-2011-0447
*/

Ajax.Responders.register({
onCreate: function(request) {
  var csrf_meta_tag = $('meta[name=csrf-token]')[0];

  if (csrf_meta_tag) {
    var header = 'X-CSRF-Token',
        token = csrf_meta_tag.readAttribute('content');

    if (!request.options.requestHeaders) {
      request.options.requestHeaders = {};
    }
    request.options.requestHeaders[header] = token;
  }
}
});

... within a Javascript block in my application.html.erb:

<script type="text/javascript">
  (... the code from above)
</script>

Also don't forget to add:

<%= csrf_meta_tag %>

in the same file towards the top (if not already there).

The document "CSRF Protection Bypass in Ruby on Rails" explains why this works.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文