Sinatra Padrino 框架 attack prevented by Rack::Protection::AuthenticityToken

lrbnew · 2015年10月13日 · 最后由 lrbnew 回复于 2015年10月13日 · 7473 次阅读

如题,用户退出功能,仿照了 ruby-china 的前端代码,

<li class=""><%= link_to t('user.sign_out'), url(:accounts, :destroy), :method => "delete" %></li>

引入了 jquery-ujs

生成的 html 如下:

<li class=""><a  href="/sign_out" data-method="delete" rel="nofollow">退出</a></li>

页面点击退出时,显示 forbidden,后台的 log 提示 attack prevented by Rack::Protection::AuthenticityToken 怀疑是和 csrf 有关,但是不知道怎么规避?

从官网找到一段描述,解决了这个问题: Notes for Custom Method Links, I think this should be included in document.

Since Padrino is using rack-protection, if you just change the link method to post, delete or put without providing a CSRF token, you will get a 403 response, and a warning in the console says: "WARN - attack prevented by Rack::Protection::AuthenticityToken",

You should create your link like this: link_to "delete item", url(:items, :destroy, :authenticity_token => session[:csrf]), :method => :delete, :confirm => 'Are you sure ?'

You can get CSRF token by accessing session[:csrf]

需要 登陆 后方可回复, 如果你还没有账号请 注册新账号