From 26720d5a3ceccdd65fd6ae4931f179b9661f638b Mon Sep 17 00:00:00 2001
From: Haroon Ahmed <haroon.ahmed25@gmail.com>
Date: Sat, 24 Jul 2021 22:33:03 +0100
Subject: [PATCH] Fixes an issue where an error is raised when a new rails app
 hits the internal rails welcome page, the exception is
 ActionController::RequestForgeryProtection::DisabledSessionError

Co-authored-by: Petrik de Heus <petrik@deheus.net>
---
 railties/lib/rails/welcome_controller.rb  |  1 +
 railties/test/application/routing_test.rb | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/railties/lib/rails/welcome_controller.rb b/railties/lib/rails/welcome_controller.rb
index 5b84b57679..986c7c0a74 100644
--- a/railties/lib/rails/welcome_controller.rb
+++ b/railties/lib/rails/welcome_controller.rb
@@ -3,6 +3,7 @@
 require "rails/application_controller"
 
 class Rails::WelcomeController < Rails::ApplicationController # :nodoc:
+  skip_forgery_protection
   layout false
 
   def index
diff --git a/railties/test/application/routing_test.rb b/railties/test/application/routing_test.rb
index e76c74aaeb..420c8e5ad2 100644
--- a/railties/test/application/routing_test.rb
+++ b/railties/test/application/routing_test.rb
@@ -734,5 +734,18 @@ module ApplicationTests
       get "/url"
       assert_equal "/foo", last_response.body
     end
+
+    test "request to rails/welcome for api_only app is successful" do
+      add_to_config <<-RUBY
+        config.api_only = true
+        config.action_dispatch.show_exceptions = false
+        config.action_controller.allow_forgery_protection = true
+      RUBY
+
+      app "development"
+
+      get "/"
+      assert_equal 200, last_response.status
+    end
   end
 end