nil.[] in request_forgery_protection when trying t

2019-07-18 20:03发布

问题:

Rails throws a NoMethodError on a page whenever I try to add a form_tag to it, and gives the following error output and stack trace:

You have a nil object when you didn't expect it!
You might have expected an instance of Array.
The error occurred while evaluating nil.[]

ruby/1.9.1/gems/actionpack-3.0.5/lib/action_controller/metal/request_forgery_protection.rb:114:in `form_authenticity_token'
ruby/1.9.1/gems/actionpack-3.0.5/lib/abstract_controller/helpers.rb:55:in `form_authenticity_token'
ruby/1.9.1/gems/actionpack-3.0.5/lib/action_view/helpers/form_tag_helper.rb:582:in `token_tag'
ruby/1.9.1/gems/actionpack-3.0.5/lib/action_view/helpers/form_tag_helper.rb:555:in `extra_tags_for_form'
ruby/1.9.1/gems/actionpack-3.0.5/lib/action_view/helpers/form_tag_helper.rb:566:in `form_tag_html'
ruby/1.9.1/gems/actionpack-3.0.5/lib/action_view/helpers/form_tag_helper.rb:573:in `form_tag_in_block'
ruby/1.9.1/gems/actionpack-3.0.5/lib/action_view/helpers/form_tag_helper.rb:52:in `form_tag'
app/views/teams/new.html.erb:1:in `_app_views_teams_new_html_erb__114968057028112192_2181733580__2538292988913059192'

There's more to the stack trace, but the relevant portions are that it is being triggered from the form_tag being called and that it leads into a request_forgery_protection.

When I remove the form_tag from the page, the error persists but now it gets triggered from the <%= csrf_meta_tag %> in my application layout.

The trace in this case also points to the same line in the request_forgery_protection method in the controller

ruby/1.9.1/gems/actionpack-3.0.5/lib/action_controller/metal/request_forgery_protection.rb:114:in `form_authenticity_token'
ruby/1.9.1/gems/actionpack-3.0.5/lib/abstract_controller/helpers.rb:55:in `form_authenticity_token'
ruby/1.9.1/gems/actionpack-3.0.5/lib/action_view/helpers/csrf_helper.rb:9:in `csrf_meta_tag'
app/views/layouts/application.html.erb:5:in `_app_views_layouts_application_html_erb___1820392644171111615_2183801660__2538292988913059192'

I've tried commenting out "protect_from_forgery" in my ApplicationController, but that does nothing. And I've also tried commenting out the csrf_meta_tag, which when I comment out in combination with removing the form_tag allows the action to render.

To debug this, I've tried to make my view the most basic possible:

<div>
<h1>This is a Header</h1>

<%= form_tag do %>
  Form contents
<% end %>
</div>

And my controller is as follows:

class TeamsController < ApplicationController
  before_filter :authenticate_user!
  check_authorization
  load_and_authorize_resource

  def new
    @team = Team.new
  end
end

Relevant gems I'm trying to use are: Devise, Cancan, and Rails 3.0.5

Edit: My session dump is as follows -

_csrf_token: "iZRWhye/WBrzjWbKreJVIRpfTbfpbSaaJu3fMiW3wEg="
flash: {:notice=>"Signed in successfully."}
session_id: "85fc7d152a17ca884f5b299f4cde926b"
warden.user.user.key: ["User", [1], "$2a$10$KC66DL1T.71ERw4d4VHVq."]
warden.user.user.session: {"last_request_at"=>2011-08-02 22:03:57 UTC}

回答1:

Put this in your view and paste the output:

<pre>
<%= method(:session)  %>
<%= instance_variable_get(:@controller).method(:session) %>
<%= instance_variable_get(:@controller).instance_variable_get(:@_request).session.inspect %>
</pre>

If your controller is called HomeController, you'll see something like this:

#<Method: #<Class:0x1cc12fc>(ActionView::Base)#session>
#<Method: HomeController(ActionController::Metal)#session>
{"_csrf_token"=>"R4KKC1hDCzY5hUcIks1xIUonEpywlhjKqjJS7J1gCOk=", "session_id"=>"886b4f181bdc955250424858f45887ad"}

Something might be re-defining the session method at some point in the delegation chain.