禁用 authenticity_token

对于这个问题，google了好长时间，终于找到答案，

No modifications to work with CSRF protection were applied to the in_place_editing plugin, as a result it doesn't work at all with CSRF protection turned on.

Also, scriptaculous/prototype have moved away from the evalScripts option for Ajax.Request, the option is now htmlResponse (htmlResponse should be the opposite of the old evalScripts). As a result at the moment for some requests the RJS does not get evaluated and instead is inserted into the page as escaped text.

Attached is a patch that fixes both these issues in the plugin, including additional tests.

Also changed: added the :text_between_controls option available in modern scriptaculous, for rendering things like <input type="submit" value="Save"/> or <a href="whatever">cancel</a>.

lib/in_place_macros_helper.rb

old	new
40	40	function << "'#{url_for(options[:url])}'"
41	41
42	42	js_options = {}
	43
	44	if protect_against_forgery?
	45	options[:with] ||= "Form.serialize(form)"
	46	options[:with] += " + '&authenticity_token=' + encodeURIComponent('#{form_authenticity_token}')"
	47	end
	48
43	49	js_options['cancelText'] = %('#{options[:cancel_text]}') if options[:cancel_text]
44	50	js_options['okText'] = %('#{options[:save_text]}') if options[:save_text]
45	51	js_options['loadingText'] = %('#{options[:loading_text]}') if options[:loading_text]
…	…
50	56	js_options['externalControl'] = "'#{options[:external_control]}'" if options[:external_control]
51	57	js_options['loadTextURL'] = "'#{url_for(options[:load_text_url])}'" if options[:load_text_url]
52	58	js_options['ajaxOptions'] = options[:options] if options[:options]
53		js_options['evalScripts'] = options[:script] if options[:script]
	59	js_options['htmlResponse'] = !options[:script] if options[:script]
54	60	js_options['callback'] = "function(form) { return #{options[:with]} }" if options[:with]
55	61	js_options['clickToEditText'] = %('#{options[:click_to_edit_text]}') if options[:click_to_edit_text]
	62	js_options['textBetweenControls'] = %('#{options[:text_between_controls]}') if options[:text_between_controls]
56	63	function << (', ' + options_for_javascript(js_options)) unless js_options.empty?
57	64
58	65	function << ')'

说是rails2.0以后，内置了一个防止CSRF (Cross-Site Request Forgery)攻击的功能，protect_from_forgery　方法。

解决办法是在in_place_macros_helper.rb　文件中加了一段代码：

if protect_against_forgery?
options[:with] ||= "Form.serialize(form)"
options[:with] += " + '&authenticity_token=' + encodeURIComponent('#{form_authenticity_token}')"
end

删除
js_options['evalScripts'] = options[:script] if options[:script]
添加
js_options['htmlResponse'] = !options[:script] if options[:script]
js_options['textBetweenControls'] = %('#{options[:text_between_controls]}') if options[:text_between_controls]

引用：http://dev.rubyonrails.org/ticket/10055
http://dev.rubyonrails.org/attachment/ticket/10055／in_place_editing_should_work_with_csrf_and_rjs.patch


另一解决方法：（不安全）
由于我的rails是从rails１。0升级到２。１。２的，所以在test环境中也会使用Request forgery protection（防止csrf）攻击功能，所以在environment.rb文件中设置如下，可取消保护
config.action_controller.allow_forgery_protection = false