从 InvalidCrossOriginRequest 救援时 Rails 4.1 中的 DoubleRenderError [英] DoubleRenderError in Rails 4.1 when rescuing from InvalidCrossOriginRequest

问题描述

我今天已经升级到 Rails 4.1.0.跨站点请求伪造 (CSRF) 保护现在也涵盖带有 JavaScript 响应的 GET 请求.

I've upgraded to Rails 4.1.0 today. Cross-site request forgery (CSRF) protection now covers GET requests with JavaScript responses, too.

我在应用中有一些远​​程 GET 链接被机器人攻击，现在抛出 ActionController::InvalidCrossOriginRequest 异常.

I have a few remote GET links in the app that are hit by the bots and are now throwing ActionController::InvalidCrossOriginRequest exception.

所以我在 application_controller 中添加了另一行rescue_from:

So I added another rescue_from line to application_controller:

rescue_from ActionController::InvalidCrossOriginRequest, with: :render_400

这是 render_400 方法:

Here's the render_400 method:

def render_400
    render(nothing: true, status: 400) and return
end

我仍然收到 AbstractController::DoubleRenderError，即使我添加了 并返回，如你所见.

I'm still getting AbstractController::DoubleRenderError even though I added and return as you can see above.

它只发生在 ActionController::InvalidCrossOriginRequest 异常中.其他人喜欢例如ActionController::BadRequest 并且不会导致 AbstractController::DoubleRenderError.

It happens only with the ActionController::InvalidCrossOriginRequest exception. Others like e.g. ActionController::BadRequest and not resulting in AbstractController::DoubleRenderError.

推荐答案

根本原因是 response_body 的某些部分在触发错误之前已分配.

The underlying reason is that some part of the response_body is assigned before the error is triggered.

您可以尝试在异常处理程序中调用 render 之前清除响应正文.

You could try clearing the response body before calling render in the exception handler.

def render_400
  # Clear the previous response body to avoid a DoubleRenderError
  # when redirecting or rendering another view
  self.response_body = nil

  render(nothing: true, status: 400)
end

这篇关于从 InvalidCrossOriginRequest 救援时 Rails 4.1 中的 DoubleRenderError的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！