Unauthorized after AJAX call #280

Closed
pconnor opened this Issue Feb 18, 2011 · 11 comments

7 participants

@pconnor

After updating a div (containing records from a related model) with AJAX , authorization is lost. This happens even if authorization is completely removed from the related model.

@ryanb
Owner

What do you mean by "authorization is lost"? Is it reporting the user is not authorized? What is the controller and action you are using and how is authorization taking place there?

@pconnor

OK. While I do not have this solved, it appears that my issue is with Devise (or my implementation of it) and not CANCAN. When I send an AJAX request, Devise is signing me out.

@ryanb
Owner

That's strange, but if Devise is signing you out then that does make sense why it would return not authorized. Closing this but if you find it to be a problem with CanCan comment here and I'll reopen.

@yfeldblum

This is likely related to the rails-3.0.4 security release. You should make sure you have up-to-date rails (3.0.4) and devise (1.1.17) gems and the up-to-date rails.js file (if you're using jquery-rails, re-run rails g jquery:install).

@pconnor

Thanks @ryanb and @yfeldblum. I have updated devise, rails, jquery, etc. and the same problem exists. It looks like a number of the issues in the Devise google group are dancing around this (IMHO). For now I will wait and see.

@cotelha

I did the update (jquery-rails) and functioned perfectly. Thanks so much all.

@jmccartie

I experienced the same issue (was trying to do a remote delete and was being logged out). I upgraded jquery-rails, and upgraded devise from 1.1.7 to 1.1.8 (was already on Rails 3.0.4). I had to upgrade my version of jQuery from 1.4.2 to 1.4.3, also. Rebooted server and all worked.

@pconnor

I also have performed the updates as listed above and all works.

@ryanb
Owner

Thanks for reporting this everyone. I'm glad you got it working.

@eduludi

I was struggling with this same problem. "I also have performed the updates as listed above"... BUT did not work! After several hours of searching on Google and a lot of trial and error, I realized that in < head > was missing the following: <%= javascript_include_tag 'rails.js'%>
Yes, I was calling in this way to jquery.min.js, jquery.ui.min.js, and application.js, but I was missing rails.js... After adding this line, it worked perfectly. Hope this helps someone else.

@schneems

Should this also be fixed for just a raw jQuery ajax call?

   $.ajax({
      url:      target.data('url'),
      dataType: 'html',
      type:     'POST', //...
 })

I have the csrf_meta_tag included as well as all javascript files and i've regenerated them using rails g query:install with query- 1.1.19 gem on the system, and restarted my server. Yet I still cannot get the above to work without also including this

    $(document).ajaxSend(function(e, xhr, options) {
      var token = $("meta[name='csrf-token']").attr("content");
      xhr.setRequestHeader("X-CSRF-Token", token);
    });

This is on a 3.0.9 project

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment