为什么destroy操作会在Rails 3中的Production中触发HTTP身份validation?
按“删除”时会发生什么的屏幕截图: http : //twitpic.com/4mljuy
这是我在production.log中看到的:
Started POST "/clients/1" for 127.0.0.1 at 2011-04-20 13:48:26 -0500 Processing by ClientsController#destroy as JSON Parameters: {"id"=>"1"} nil Completed in 3ms 这是我在我的控制器中的销毁动作:
def destroy client = Client.find(params[:id]) client.destroy respond_to do |format| format.html { redirect_to("/") } format.js { render :json => ['client',params[:id]].to_json, :layout => false } end end
这是我视图中的删除链接:
<span class="icon destroy-icon" data-destroy-title="Delete ?" data-destroy-url="" data-compv-mapping="clientDestroyFn" title="Delete">
这是JS:
$('[data-destroy-url]').live('click', function(e){ console.debug("Clicked Destroy"); var element = $(this); var mapping = compv.tools.getVariableFromString(element.attr("data-compv-mapping"), compv); var dialog = $("div#" + mapping.dialog); dialog.dialog('option', 'title', element.attr("data-destroy-title")); dialog.dialog("option", "buttons", [ { text: "No", click: function(){ dialog.dialog('close'); } }, { text: "Yes, do it!", click: function() { dialog.dialog('close'); $.destroy({ url: element.attr('data-destroy-url'), success: mapping.success }); }} ]); dialog.dialog('open'); });
顺便说一句,这只发生在RAILS_ENV=production而不是development 。
编辑:这是我的应用程序控制器:
class ApplicationController < ActionController::Base helper :all helper_method :current_user, :logged_in? protect_from_forgery before_filter :set_current_user before_filter :authenticate_user! def set_xhr_flash flash.discard if request.xhr? end def correct_safari_and_ie_accept_headers ajax_request_types = ['text/javascript', 'application/json', 'text/xml'] request.accepts.sort! { |x, y| ajax_request_types.include?(y.to_s) ? 1 : -1 } if request.xhr? end protected def set_current_user logger.info current_user.inspect Authorization.current_user = current_user #User.current = current_user end # def after_sign_in_path_for(resource) # if resource.is_a?(User) && resource.has_trial_expired? # return url_for(:settings) # end # super # end end
Edit2:当我试图删除一个阶段(这是一个对象)时,我在我的日志文件中收到了这条消息:
Started POST "/stages/58" for 127.0.0.1 at 2011-04-20 23:18:13 -0500 Processing by StagesController#destroy as JSON Parameters: {"id"=>"58"} User Load (1.6ms) SELECT "users".* FROM "users" WHERE "users"."id" = 11 LIMIT 1 nil Permission denied: No matching rules found for destroy for # (roles [:guest], privileges [:destroy], context :stages). Rendered text template (0.0ms) Completed 403 Forbidden in 232ms (Views: 0.9ms | ActiveRecord: 1.6ms)
更新到最新的jquery ujs驱动程序,其中包含每个请求中的CSRF令牌,以防止自3.0.4中的更改后您的会话被重置。
您可能在应用程序控制器或控制器上有一个filter,并且请求了基本身份validation。
或者,你有任何gem用于认证吗?