使用skip_before_filter逃避真实性令牌是否安全?
[英]Is it safe to escape authenticity token using skip_before_filter?
问题描述
Button_to produce the authenticity token in its form. 
Button_to以其形式产生真实性令牌。 However, invalid authenticity token error is raised and so many threads suggested adding of callback to the specific action in the target controller like below: 但是,会引发无效的真实性令牌错误,因此许多线程建议将回调添加到目标控制器中的特定操作,如下所示:
<!-- view filw -->
<%= button_to "Delete all", "", :method => :delete, :id => "delete_confirmation_button",:onclick => "return confirm('Are you sure you want to delete items?')",
:params => {"#{object.class.name.downcase}_id" => object.id },
:form => {:id => "tool_bar_delete_form"} %>
Since the form path is decided according to selected items I use the following function to add form action later 由于表单路径是根据所选项目决定的,因此我使用以下函数在以后添加表单操作
function detect_selected_items(object_name){
/* some code */
var items_ids_string = "" ;
switch (object_name )
{
case "Questionnaire":
items_ids_string = "/questionnaire_items/" ;
break;
case "Lesson":
items_ids_string = "/lesson_items/" ;
break;
case "Exam":
items_ids_string = "/answers/" ;
break;
};
items_ids_string += "delete_all/"
items_ids_string += items_ids.join(",")
document.getElementById("tool_bar_delete_form").action = items_ids_string ;
}
<!-- controller file -->
skip_before_filter :verify_authenticity_token, :only => :delete_all
since the callback is working quite well. 因为回调效果很好。 My question: 我的问题:
Is it safe to add such callback function to the controller and if not? 将此类回调函数添加到控制器是否安全? how to prevent CSRF in such cases? 在这种情况下如何预防CSRF?
Does adding form actions through scripts cause such error? 通过脚本添加表单操作是否会导致此类错误?
1 个解决方案
解决方案1
0 2017-09-25 18:21:07
No, you should not skip CSRF protection in this case. 不,在这种情况下,您不应跳过CSRF保护。 Do you have javascript intercepting the click on delete_confirmation_button ? 您是否有JavaScript拦截了delete_confirmation_button的点击? I'm almost certain that you do, an unintercepted button_to would not have this problem. 我几乎可以肯定您会这样做,不受阻的button_to不会有此问题。
If you are intercepting the click with JS and using JS to submit the form, you should update the script to include the content of the CSRF meta tag present on the page. 如果要通过JS截获点击并使用JS提交表单,则应更新脚本以包括页面上存在的CSRF meta标记的内容。 The CSRF meta tags look like this: CSRF元标记如下所示:
<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="include-this-in-your-request" />
Add a param to your request named "authenticity_token" with the value of the csrf-token to your javascript request. 将名称为csrf-token的参数添加到名为“ authenticity_token”的请求中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.