Unauthorized after AJAX call #280

pconnor opened this Issue Feb 18, 2011 · 11 comments

7 participants


After updating a div (containing records from a related model) with AJAX , authorization is lost. This happens even if authorization is completely removed from the related model.


What do you mean by "authorization is lost"? Is it reporting the user is not authorized? What is the controller and action you are using and how is authorization taking place there?


OK. While I do not have this solved, it appears that my issue is with Devise (or my implementation of it) and not CANCAN. When I send an AJAX request, Devise is signing me out.


That's strange, but if Devise is signing you out then that does make sense why it would return not authorized. Closing this but if you find it to be a problem with CanCan comment here and I'll reopen.


This is likely related to the rails-3.0.4 security release. You should make sure you have up-to-date rails (3.0.4) and devise (1.1.17) gems and the up-to-date rails.js file (if you're using jquery-rails, re-run rails g jquery:install).


Thanks @ryanb and @yfeldblum. I have updated devise, rails, jquery, etc. and the same problem exists. It looks like a number of the issues in the Devise google group are dancing around this (IMHO). For now I will wait and see.


I did the update (jquery-rails) and functioned perfectly. Thanks so much all.


I experienced the same issue (was trying to do a remote delete and was being logged out). I upgraded jquery-rails, and upgraded devise from 1.1.7 to 1.1.8 (was already on Rails 3.0.4). I had to upgrade my version of jQuery from 1.4.2 to 1.4.3, also. Rebooted server and all worked.


I also have performed the updates as listed above and all works.


Thanks for reporting this everyone. I'm glad you got it working.


I was struggling with this same problem. "I also have performed the updates as listed above"... BUT did not work! After several hours of searching on Google and a lot of trial and error, I realized that in < head > was missing the following: <%= javascript_include_tag 'rails.js'%>
Yes, I was calling in this way to jquery.min.js, jquery.ui.min.js, and application.js, but I was missing rails.js... After adding this line, it worked perfectly. Hope this helps someone else.


Should this also be fixed for just a raw jQuery ajax call?

      url:      target.data('url'),
      dataType: 'html',
      type:     'POST', //...

I have the csrf_meta_tag included as well as all javascript files and i've regenerated them using rails g query:install with query- 1.1.19 gem on the system, and restarted my server. Yet I still cannot get the above to work without also including this

    $(document).ajaxSend(function(e, xhr, options) {
      var token = $("meta[name='csrf-token']").attr("content");
      xhr.setRequestHeader("X-CSRF-Token", token);

This is on a 3.0.9 project

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment