设计+的Rails 3.0.4 AJAX请求后结束会议 [英] Devise + Rails 3.0.4 ends session after AJAX request

问题描述

我通过有Ajax.InPlaceEditor 或 InPlaceCollectionEditor 这样生成的一个AJAX请求触发的动作：

I have an action triggered by an AJAX request generated by Ajax.InPlaceEditor or InPlaceCollectionEditor like this:

new Ajax.InPlaceCollectionEditor('agent_email', 'inspections/<%= @inspection.id %>/update_field', 
{
collection: [<% @agents.each do |agent| %>
        '<%= agent.email %>',           
        <% end %>],
    okText: 'Update',
    cancelText: 'Never mind',
    savingText: 'Updating...'

});

目前的另一端，所述操作包含这样的：

At the other end, the action contains this:

def update_field
  --some code here--
  if success
    puts "stored change"
    render :text => result
  else
    puts "did note change store"
    render :text => inspection.errors.to_json, :status => 500
  end
end

在任何的渲染方法达到，会话过期，并且用户下一次发送一个请求，设计将它们发送到网页上登录。

Once any of the render methods are reached, the session expires, and next time the user send a request, Devise sends them to the logon on page.

尽管我从认证免除update_field（的before_filter：的authenticate_user！：除了=＆GT;：update_field ），会话仍然得到复位。

Even though I am exempting update_field from authentication (before_filter :authenticate_user!, :except => :update_field), the session is still getting reset.

我已经看了看回答在一个非常类似的问题在<一个href="http://stackoverflow.com/questions/5049672/devise-session-immediately-expiring-on-js-call-ajax">Devise会议立即.js文件到期调用[AJAX] ，但它不解决我特别的问题。

I have looked at the answer at a very similar question at Devise session immediately expiring on .js call [AJAX], but it is not solving my particular problem.

任何想法？

推荐答案

我得到这个从获得code工作<一个href="http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails">http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails （原型snippet.js）：

I got this to work by getting the code from http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails (prototype-snippet.js):

/*
 * Registers a callback which copies the csrf token into the
 * X-CSRF-Token header with each ajax request.  Necessary to 
 * work with rails applications which have fixed
 * CVE-2011-0447
*/

Ajax.Responders.register({
onCreate: function(request) {
  var csrf_meta_tag = $$('meta[name=csrf-token]')[0];

  if (csrf_meta_tag) {
    var header = 'X-CSRF-Token',
        token = csrf_meta_tag.readAttribute('content');

    if (!request.options.requestHeaders) {
      request.options.requestHeaders = {};
    }
    request.options.requestHeaders[header] = token;
  }
}
});

...在我application.html.erb一个JavaScript块中：

... within a Javascript block in my application.html.erb:

<script type="text/javascript">
  (... the code from above)
</script>

另外不要忘了补充：

Also don't forget to add:

<%= csrf_meta_tag %>

在朝向顶部相同的文件（如果尚未存在）。

in the same file towards the top (if not already there).

文件 CSRF保护旁路在Ruby on Rails的解释了为什么这个工程。

The document "CSRF Protection Bypass in Ruby on Rails" explains why this works.

这篇关于设计+的Rails 3.0.4 AJAX请求后结束会议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！