StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PORails and ajax request: not using csrf working?
text
Body
copied!<p>I was Making a AJAX POST request to rails with this code:</p> <pre><code> var new_note = { title: "New note" }; $.post('/notes.json', { auth_token: auth_token, note: new_note }, function(data, textStatus, jqXHR){ console.log(textStatus); console.log(jqXHR); var createdNoteIndex = self.notes.push(new Note()); self.openNote(self.notes()[createdNoteIndex - 1]); }, "json") .error(function(jqXHR, textStatus, errorThrown){ alert("error"); console.log(jqXHR); console.log(textStatus); console.log(errorThrown); }); </code></pre> <p>and I forgot to insert the csrf token so I thought the create action was going to fail:</p> <pre><code> # POST /notes.json def create @note = current_user.notes.new(params[:note]) if @note.save respond_with { render json: @note, status: :created, location: @note } else respond_with { render json: @note.errors, status: :unprocessable_entity } end end </code></pre> <p>but the record in the database has been created anyway while the requested ended in a 500 error:</p> <pre><code>Started POST "/notes.json" for 127.0.0.1 at 2012-04-30 15:26:33 +0200 Processing by NotesController#create as JSON Parameters: {"auth_token"=>"zJzKxPnvx5dQDTcFWi5k", "note"=>{"title"=>"New note"}} MONGODB (0ms) taccuino_development['users'].find({:_id=>BSON::ObjectId('4f9c670a809ad20869000002')}).limit(-1).sort([[:_id, :asc]]) MONGODB (0ms) taccuino_development['notes'].insert([{"_id"=>BSON::ObjectId('4f9e9309809ad223f5000007'), "title"=>"New note", "user_id"=>BSON::ObjectId('4f9c670a809ad20869000002')}]) Completed 500 Internal Server Error in 8ms AbstractController::DoubleRenderError (Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".): app/controllers/notes_controller.rb:26:in `create' Rendered /home/matteo/.rvm/gems/ruby-1.9.3-p194/gems/actionpack-3.2.3/lib/action_dispatch/middleware/templates/rescues/_trace.erb (4.2ms) Rendered /home/matteo/.rvm/gems/ruby-1.9.3-p194/gems/actionpack-3.2.3/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (1.5ms) Rendered /home/matteo/.rvm/gems/ruby-1.9.3-p194/gems/actionpack-3.2.3/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb within rescues/layout (14.8ms) </code></pre> <p>I've not disabled the csrf protection so It should have given an error about the missing of the token but it hasn't... </p> <p><strong>EDIT:</strong></p> <p>after readng the two answers I have:</p> <ul> <li>removed the jquery_ui file</li> </ul> <p>added this code to replace the jquery_ui function for csrf token and setting also the auth_token for devise:</p> <pre><code> $.ajaxSetup({ beforeSend: function(xhr, settings) { if (settings.crossDomain) return; var csrf_token = $('meta[name="csrf-token"]').attr('content'); var auth_token = $('meta[name="auth_token"]').attr('content'); xhr.setRequestHeader('X-CSRF-Token', csrf_token); xhr.setRequestHeader('auth_token', auth_token); } }); </code></pre> <p>removed the before_file authenticate_user! from the controller and replaced the create action releated to the current_user with a different one:</p> <pre><code> def create @note = Note.new(params[:note]) if @note.save respond_with { render json: @note, status: :created } else respond_with { render json: @note.errors, status: :unprocessable_entity } end end </code></pre> <p>Then I've disabled the CSRF protection but i'm still getting the same error... so the probelm is another but i really can't understand what can cause a double redirection since the record is correctly created in the database...</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload