Rails 3简单的AJAX删除不起作用,因为authenticity_token没有随请求一起发送
我正在提交一个简单的 ajax 删除请求,如下所示:
#invitation_actions
=link_to "delete", invitation_path(invitation), :method=>:delete, :remote=>true, :class=>"remove", :confirm=>'Are you sure you?'
请注意,由于所有页面中都包含 csrf_meta_tag 标签,因此具有请求的页面包含authenticity_token。
当我查看日志时,我发现删除请求缺少authenticity_token:
Started DELETE "/invitations/5" for 127.0.0.1 at 2011-04-22 11:21:21 -0700 由 InvitationsController#destroy 处理为 参数:{“id”=>“5”}
现在,如果我从代码中删除“:remote=>:true”,即我执行常规页面加载,删除将起作用,并且我在日志文件中看到以下内容:
于 2011-04-22 12:52:19 -0700 开始为 127.0.0.1 发布“/invitations/10” 由 InvitationsController#destroy 作为 HTML 进行处理 参数:{"authenticity_token"=>"qlT8uX/WGQeOQSmVZzw1v8rFdSTHDRbzNY0zpSc9mV0=", "id"=>"5"}
为什么在AJAX情况下是DELETE,在非AJAX情况下是POST? 为什么DELETE不包含authenticity_token?
感谢您的任何帮助。
I am submitting a simple ajax delete request like so:
#invitation_actions
=link_to "delete", invitation_path(invitation), :method=>:delete, :remote=>true, :class=>"remove", :confirm=>'Are you sure you?'
Note that the page that has the request contains the authenticity_token thanks to the csrf_meta_tag tag that is included in all the pages.
When I look in the logs I see that the delete request is missing the authenticity_token:
Started DELETE "/invitations/5" for 127.0.0.1 at 2011-04-22 11:21:21 -0700
Processing by InvitationsController#destroy as
Parameters: {"id"=>"5"}
Now if I remove the ":remote=>:true" from the code, i.e. I do a regular page load the delete works and I see the following in the log file:
Started POST "/invitations/10" for 127.0.0.1 at 2011-04-22 12:52:19 -0700
Processing by InvitationsController#destroy as HTML
Parameters: {"authenticity_token"=>"qlT8uX/WGQeOQSmVZzw1v8rFdSTHDRbzNY0zpSc9mV0=", "id"=>"5"}
Why is it a DELETE in the AJAX case and a POST in the non AJAX case?
Why the DELETE does not include the authenticity_token?
Thanks for any help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的问题的第一个可能原因(我能想到的)是,如果您的 UJS 脚本已有几个月以上,您可能需要将其更新到最新版本,以便您的应用程序使用 AJAX 发送真实性令牌请求。
这一行为变化发生在 2011 年 2 月,这意味着所有 Rails UJS 脚本都必须更新:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
您问题的第二部分询问有关在非以下情况下用于删除的 HTTP POST 谓词: AJAX 案例。这是因为 Rails 必须模拟 REST 表单处理,因为浏览器无法实现所有 4 个 HTTP 动词,例如 GET、POST、PUT 和 PUT。删除,因为这些动词在 HTML 中无效。
JavaScript (AJAX) 可以做真正的事情,因为它控制发送到 AJAX 端点的标头。
The first possible cause for your issue (that I can think of) is that if your UJS script is more than a couple of months old you may need to update it to the latest version in order for your application to send the authenticity token with AJAX requests.
This change in behaviour occurred in February 2011, which meant that all Rails UJS scripts had to be updated:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
The second part of your question asks about the HTTP POST verb being used for a delete when a non-AJAX case. This is because Rails has to simulate REST form handling since browsers don't implement all 4 HTTP verbs e.g. GET, POST, PUT & DELETE, because these verbs aren't valid in HTML.
JavaScript (AJAX) can do the real thing because it controls the headers that are sent to your AJAX endpoint.
此外,您还需要在应用程序布局文件的
标记内添加<%= csrf_meta_tag %>。该帮助器放置了几个额外的标记,jquery_ujs脚本需要这些标记来组成有效的 POST 请求。Also you need to add
<%= csrf_meta_tag %>inside<head>tag of your application layout file. This helper puts couple additional<meta>tags which are needed forjquery_ujsscript to compose valid POST request.