ruby-on-rails – 我们如何规避这些远程形式的缺点？

以下是我将如何编写此功能.请注意,我实际上没有测试过这个,但这个概念应该可行.

1.
在新操作内部创建一个哈希来标识表单请求.

def new
  @product = Product.new
  @form_token = session["form_token"] = SecureRandom.hex(15)
end

2.
向存储表单标记的表单添加隐藏字段.这将在创建操作中捕获,以确保之前未提交表单.

<%= hidden_field_tag :form_token,@form_token %>

3.
在create操作中,您可以确保表单标记在session和params变量之间匹配.这将使您有机会查看这是第一次提交还是第二次提交.

def create
  # delete the form token if it matches
  if session[:form_token] == params[:form_token]
    session[:form_token] = nil
  else
    # if it doesn't match then check if a record was created recently
    product = Product.where('created_at > ?',3.minutes.ago).where(title: params[:product][:title]).last

    # if the product exists then show it
    # or just return because it is a remote form
    redirect_to product and return if product.present?
  end

  # normal create action here ...
end

更新：我上面描述的有一个名字,它被称为同步器(或Déjàvu)令牌.如in this article所述,是防止双重提交的正确方法.

This strategy addresses the problem of duplicate form submissions. A synchronizer token is set in a user’s session and included with each form returned to the client. When that form is submitted,the synchronizer token in the form is compared to the synchronizer token in the session. The tokens should match the first time the form is submitted. If the tokens do not match,then the form submission may be disallowed and an error returned to the user. Token mismatch may occur when the user submits a form,then clicks the Back button in the browser and attempts to resubmit the same form.

On the other hand,if the two token values match,then we are confident that the flow of control is exactly as expected. At this point,the token value in the session is modified to a new value and the form submission is accepted.