[英]How to prevent directly sending the post request in the backend in rails?
I am currently have a form that search for a registrant and has a validation on the front-end to verify that all required fields are filled out, which it throws an error all the fields are left blank after submitting, BUT when anyone send a direct POST request(without using the ui) they can bypass all the required field.我目前有一个搜索注册人的表格,并在前端进行验证以验证是否填写了所有必填字段,这会引发错误,提交后所有字段都留空,但是当任何人直接发送POST 请求(不使用 ui)他们可以绕过所有必填字段。 I have been told that I should specify a validation so that it can prevent someone sending direct POST request through other means such as postman.
我被告知我应该指定一个验证,以便它可以防止有人通过其他方式(例如 postman)发送直接 POST 请求。
Here is my current controller:这是我当前的 controller:
class RegistrantsController < ApplicationController
before_action :set_search, only: %i[search_by_name]
def search_by_name
authorize Registrant, :search?
session.delete(:search_for_patient)
if search_params[:first_name].present? && search_params[:last_name].present? && search_params[:date_of_birth].present?
@registrants = Registrant.search_by_name(search_params.transform_values(&:strip))
end
respond_to do |format|
format.html { render 'search'}
format.js { render partial: 'patient_search_result'}
end
end
private
def search_params
params.permit(:first_name, :last_name, :date_of_birth, :identification_type, :identification_number)
end
def set_search
@q = Registrant.ransack(params[:q]&.transform_values(&:strip))
@registrants = params[:q] ? @q.result : nil
@patient = Registrant.find(session[:patient_id_to_add_caregiver]) if session[:patient_id_to_add_caregiver]
hospice_id = session[:hospice_id_to_add_caregiver] || session[:hospice_id_to_add_patient]
@hospice = Hospice.find(hospice_id) if hospice_id
end
end
Im not sure if that's enough information but let me know if more information need to be clarified.我不确定这些信息是否足够,但如果需要澄清更多信息,请告诉我。 Thank you
谢谢
UPDATE:更新:
Here is the route:这是路线:
match 'registrants/search_by_name',
to: 'registrants#search_by_name',
as: 'name_search_registrants',
via: [:get, :post]
One of the solutions would be to change the code in your controller to something like this:解决方案之一是将 controller 中的代码更改为如下所示:
def search_by_name
# some code omitted
if search_params[:first_name].present? && search_params[:last_name].present? && search_params[:date_of_birth].present?
@registrants = Registrant.search_by_name(search_params.transform_values(&:strip))
respond_to do |format|
format.html { render 'search' }
format.js { render 'patient_search_result'}
end
else
flash[:alert] = "Please provide all the data required for a search"
respond_to do |format|
format.html { render 'search_error' }
format.js { render 'search_error' }
end
end
end
Then, you would have to create two new views to display the error to a user.然后,您必须创建两个新视图来向用户显示错误。 The simplest way would be something like this:
最简单的方法是这样的:
<div><%= flash[:alert] %></div>
alert('<%= flash[:alert] %>');
Of course in production it should be a bit more user friendly but my code can be extended a bit to achieve that.当然在生产中它应该更加用户友好但是我的代码可以扩展一点来实现这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.