基本.ajax張貼到導軌3.2.2腳手架生成「警告：無法驗證CSRF令牌的真實性」

Question

我想了解如何使用$ .ajax通過jquery發佈一些數據到一個簡單的導軌腳手架項目。有一個標準的腳手架創建控制器=>圖像

class ImagesController < ApplicationController 
    # GET /images 
    # GET /images.json 
    def index 
    @images = Image.all 

    respond_to do |format| 
     format.html # index.html.erb 
     format.json { render json: @images } 
    end 
    end 

    # GET /images/1 
    # GET /images/1.json 
    def show 
    @image = Image.find(params[:id]) 

    respond_to do |format| 
     format.html # show.html.erb 
     format.json { render json: @image } 
    end 
    end 

    # GET /images/new 
    # GET /images/new.json 
    def new 
    @image = Image.new 

    respond_to do |format| 
     format.html # new.html.erb 
     format.json { render json: @image } 
    end 
    end 

    # GET /images/1/edit 
    def edit 
    @image = Image.find(params[:id]) 
    end 

    # POST /images 
    # POST /images.json 
    def create 
    @image = Image.new(params[:image]) 

    respond_to do |format| 
     if @image.save 
     format.html { redirect_to @image, notice: 'Image was successfully created.' } 
     format.json { render json: @image, status: :created, location: @image } 
     else 
     format.html { render action: "new" } 
     format.json { render json: @image.errors, status: :unprocessable_entity } 
     end 
    end 
    end 

    # PUT /images/1 
    # PUT /images/1.json 
    def update 
    @image = Image.find(params[:id]) 

    respond_to do |format| 
     if @image.update_attributes(params[:image]) 
     format.html { redirect_to @image, notice: 'Image was successfully updated.' } 
     format.json { head :no_content } 
     else 
     format.html { render action: "edit" } 
     format.json { render json: @image.errors, status: :unprocessable_entity } 
     end 
    end 
    end 

    # DELETE /images/1 
    # DELETE /images/1.json 
    def destroy 
    @image = Image.find(params[:id]) 
    @image.destroy 

    respond_to do |format| 
     format.html { redirect_to images_url } 
     format.json { head :no_content } 
    end 
    end 
end 

與一個路線=>資源：圖像。數據庫模式由一個字段=> t.string：name組成。 我最初的測試HTML文件：

<html> 
<head> 
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js"> </script> 
</head> 
<body> 
    <script> 
    $(document).ready(function(){ 
     $.ajax({ 
      type: 'POST', url: "localhost:3000/images", 
      data: { name: "johngalt" } 
     }); 
    }); 
    </script> 
</body> 

結果從WEBrick是使用：

Started POST "/images" for 127.0.0.1 at 2012-04-17 09:50:19 -0500 
Processing by ImagesController#create as */* 
    Parameters: {"name"=>"johngalt"} 
WARNING: Can't verify CSRF token authenticity 
    (0.1ms) begin transaction 
    SQL (63.5ms) INSERT INTO "images" ("created_at", "name", "updated_at") VALUES (?, ?, ?) [["created_at", Tue, 17 Apr 2012 14:50:21 UTC +00:00], ["name", nil], ["updated_at", Tue, 17 Apr 2012 14:50:21 UTC +00:00]] 
    (2.0ms) commit transaction 
Redirected to http://localhost:3000/images/7 
Completed 302 Found in 81ms (ActiveRecord: 65.6ms) 

我不知道爲什麼名稱不包含 「johngalt」。這是否與「警告：無法驗證CSRF令牌真實性」有關？

編輯 當我使用捲曲：

curl -d "image[name]=johngalt" localhost:3000/images.json 

創建記錄和名稱字段包含 「johngalt」。從本質上講，我試圖找出.ajax相當於做了我能夠捲曲的事情嗎？

Answer 1

當您使用Rails form_for幫助程序創建表單並且旨在保護用戶免受cross-site request forgery attacks影響時，CSRF令牌會自動添加到您的帖子表單中。因此，如果您嘗試在JavaScript文件中發帖，您將無法訪問該令牌。

只要您瞭解後果，您可以根據需要禁用特定操作的CSRF令牌身份驗證。

有幾個方法可以做到這一點，這裏列出：Turn off CSRF token in rails 3

編輯在你捲曲例子來看，它看起來像你的AJAX發佈了錯誤的數據。您正在省略「圖像」參數名稱空間。請嘗試：

<script> 
$(document).ready(function(){ 
    $.ajax({ 
     type: 'POST', url: "localhost:3000/images", 
     data: { image: { name: "johngalt" } } 
    }); 
}); 
</script>