i get this exception
ActionController::MethodNotAllowed: Only get requests are allowed.
please can any one give solution for this
This error means you are trying to post/put/delete to a path that only accepts GET requests. You need to confirm that your route and the path and/or form method you are using match up.
This error occurs when you have defined a standard route and a client is trying to connect to the route using a HTTP method different than GET or POST.
Usually, this is caused by clients using the Microsoft Office Protocol Discovery. These clients send an OPTION request which is not supported by Rails.
You can fix the problem in multiple ways:
ignore the error in your production environment
prevent the error using a before_filter and head 406 in your controller
rescue the error using rescue_from in your controller
prevent the error filtering the request via Rack Middleware
prevent the error blocking non GET/POST/HEAD requests using your webserver
I personally prefer the last option, but it requires you to have administration privileges on the server. Otherwise, the Rack Middleware option is the most efficient way to filter unexpected requests.
How are you trying to get to this page? It looks like you are trying to do some other kind of RESTful call (put, post, delete) and that method. A code snipped of that controller would be really helpful to diagnose the problem.
Related
I work on a number of Rails sites with forms and take advantage of Rails built-in authenticity token support. Works like a charm. Happy Happy Joy Joy.
It varies, but I would say I average about a SQL injection attack once a month that is successfully caught as having a failed authenticity token check. Wonderful.
The problem is the failed authenticity token check generates an ActionController::InvalidAuthenticityToken exception which returns an HTTP 5xx error because it is an unhandled exception. Good: the bad request is not allowed. Bad: The hacker is functionally informed that my server crashed which is hacker-code for KEEP ATTACKING THIS INTERFACE AT ALL COSTS because they aren't catching this error.
So what is the best way to handle this? If I simply try to wrap my controller method in a try/except, it doesn't even get to my method. It seems that if I want to respond with an access denied or some similar "bad user input" error (HTTP 4xx) then I would have to plug into the pipeline which seems like overkill for something the entire world has to deal with.
Also, what is the proper HTTP response? 400 (Bad Request)? Seems correct, but the other common scenario that generates this error is when a user pulls up your form from cache after the access token has timed out. In this case, the best user experience would be to simply refresh the form with a message saying it took too long for them to fill out the form or something like that. I suppose that could be in the body of an HTTP 400 response.
So how do I build this? Maybe something in the ApplicationController? Why isn't this the default? Maybe it is being handled properly and my "Unhandled Exception" reports are earlier in the pipeline?
I am new to ASP.NET MVC. I am using http POST for custom validation. Recently I learned that both http POST and http GET are used to send data to the server. HTTP POST is more secure while http GET is less secure as it sends the data in the query string.
I want to know then, is it possible to get completely rid of HTTP GET in my project as its function is similar to http POST? I tried that but it immediately gave error as soon as I started debugging the project. It said "The resource cannot be found.". I am confused. Please help.
I would recommend to review Http Methods - MDN
Since you just started the right course of action would be to use GET to obtain the data (e.g. load the form) and POST to update the data (submit the form to the server).
If the application you are working on is written in plain ASP.NET MVC it will be impossible to completely avoid GET (as it is used by the browser to load application pages/views).
Once you are ready to move to REST APIs you might want to deeper explore PUT, DELETE and other methods
I have a ruby-on-rails application running locally on a WEBrick server. I am using Postman to trigger HTTP Methods (POST, GET, etc) in order to check if any error page is shown to the users. The figure below shows one of the error pages found when performing a POST to the home page:
WEBrick Error page
As one can note, the physical path to the application directory is disclosed: /home/dennis/dunbarwebsite
Leaking this kind of information may help one fine-tune attacks against the application. Hence, I would like to know if it is possible to forward this error page to a custom one, like the custom redirection to errors 404 and 500.
Thanks in advance,
Dennis.
That error page only appears in development mode.
Add a catchall route at the end of routes.rb:
match "*path", to: redirect('/'), via: :all
How can I invoke a request to any url (controller/action) of my Rails3 application inside of application?
I've tried to use app object (Application) with get method, but it works only from console and not in the application.
For example: I have a controller that could handle all requests. It is not configured in routes.rb and this controller could parse the request.uri and return HTML in accordance of request. I need to get this html inside of application in other controller.
What you are asking for is the component feature that was officially removed from Rails in 2008 because it was slow and leads to bad design practices.
You can try to reproduce the feature, if you really need it. Or you can perform a new HTTP request internally (using a HTTP client) to the second location, get the response and then return the result.
If there's an exception in a Rails application, one gets an error page with the call stack, request parameters and a code excerpt.
Is it possible to create a different output if the request is an XHR request?
Is it possible to re-define the exception output in general? (I assume that would automatically answer the first question)
You could try overriding rescue_action in your action controller.
def rescue_action(exception)
if request.xhr?
custom_xhr_error_handling_for(exception)
else
super
end
end
The more traditional way is to use rescue_from Exception, :custom_xhr_error_handling_for but that removes your ability to let the default code do the dirty work if it later turns out it was not an xhr response.
You only see the page with traceback in development mode, while in production mode you see a standard error page (located in public/500.html) which just says an error occurred.
This is meant for security reasons, and it's not, of course, limited to rails: all web application frameworks do the same, as the backtrace can disclose sensitive information (it sometimes happen that you see an error message on a web app displaying the db connection string, or some password, or the like; well, you don't want this to happen).
In development mode, on XHR calls, you still receive the backtrace (I use firebug to debug my apps, so I just copy it and paste somewhere).
In production mode you can handle XHR errors from within the ajax call, by explicitly set a function to be executed on error by setting the :failure param of functions like remote_function.