{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 甜甜的少女心 的问题《Rails 4 Authenticity Token》','https://www.manongdao.com/q-39878.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I was working on a new Rails 4 app (on Ruby 2.0.0-p0) when I ran into some authenticity token problems.
While writing a controller that responds to json (using the respond_to class method), I got to the create action I started getting ActionController::InvalidAuthenticityToken exceptions when I tried to create a record using curl.
I made sure I set -H "Content-Type: application/json" and I set the data with -d "<my data here>" but still no luck.
I tried writing the same controller using Rails 3.2 (on Ruby 1.9.3) and I got no authenticity token problems whatsoever. I searched around and I saw that there were some changes with authenticity tokens in Rails 4. From what I understand, they are no longer automatically inserted in forms anymore? I suppose this is somehow affecting non-HTML content types.
Is there any way to get around this without having to request a HTML form, snatching the authenticity token, then making another request with that token? Or am I completely missing something that's completely obvious?
Edit: I just tried creating a new record in a new Rails 4 app using a scaffold without changing anything and I'm running into the same problem so I guess it's not something I did.
If you're using jQuery with rails, be wary of allowing entry to methods without verifying the authenticity token.
jquery-ujs can manage the tokens for you
You should have it already as part of the jquery-rails gem, but you might need to include it in application.js with
That's all you need - your ajax call should now work
For more information, see: https://github.com/rails/jquery-ujs
This official doc - talks about how to turn off forgery protection for api properly http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
Add
authenticity_token: trueto the form tagI think I just figured it out. I changed the (new) default
to
as per the comment in
ApplicationController.You can see the difference by looking at the source for
request_forgery_protecton.rb, or, more specifically, the following lines:In Rails 3.2:
In Rails 4:
Which will call the following:
This is a security feature in Rails. Add this line of code in the form:
Documentation can be found here: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
These features were added for security and forgery protection purposes.
However, to answer your question, here are some inputs. You can add these lines after your the controller name.
Like so,
Here are some lines for different versions of rails.
Rails 3
Rails 4:
Should you intend to disable this security feature for all controller routines, you can change the value of protect_from_forgery to :null_session on your application_controller.rb file.
Like so,