Sinatra Padrino 框架 attack prevented by Rack::Protection::AuthenticityToken
如题,用户退出功能,仿照了 ruby-china 的前端代码,
<li class=""><%= link_to t('user.sign_out'), url(:accounts, :destroy), :method => "delete" %></li>
引入了 jquery-ujs
生成的 html 如下:
<li class=""><a href="/sign_out" data-method="delete" rel="nofollow">退出</a></li>
页面点击退出时,显示 forbidden,后台的 log 提示 attack prevented by Rack::Protection::AuthenticityToken
怀疑是和 csrf 有关,但是不知道怎么规避?
从官网找到一段描述,解决了这个问题: Notes for Custom Method Links, I think this should be included in document.
Since Padrino is using rack-protection, if you just change the link method to post, delete or put without providing a CSRF token, you will get a 403 response, and a warning in the console says: "WARN - attack prevented by Rack::Protection::AuthenticityToken",
You should create your link like this: link_to "delete item", url(:items, :destroy, :authenticity_token => session[:csrf]), :method => :delete, :confirm => 'Are you sure ?'
You can get CSRF token by accessing session[:csrf]