Calling `skip_forgery_protection` without first calling `protect_from_forgery`--either manually or through default settings--raises an `ArgumentError` because `verify_authenticity_token` has not been defined as a callback. Since Rails 7.0 adds `skip_forgery_protection` to the `Rails::WelcomeController` (PR #42864), this behavior means that setting `default_protect_from_forgery` to false and visiting the Rails Welcome page (`/`) raises an error. This behavior also created an issue for `ActionMailbox` that was previously fixed in the Mailbox controller by running `skip_forgery_protection` only if `default_protect_from_forgery` was true (PR #35935). This PR addresses the underlying issue by setting the `raise` option for `skip_before_action` to default to false inside `skip_forgery_protection`. The fix is implemented in `request_forgery_protection.rb`. The change to `ActionMailbox`'s `base_controller.rb` removes the now-unnecessary check of `default_protect_from_forgery`. The tests added in `request_forgery_protection_test.rb` and `routing_test.rb` both raise an error when run against the current codebase and pass with the changes noted above.
1.6 KiB
-
Fix
skip_forgery_protection
to run without raising an error if forgery protection has not been enabled /verify_authenticity_token
is not a defined callback.This fix prevents the Rails 7.0 Welcome Page (
/
) from raising anArgumentError
ifdefault_protect_from_forgery
is false.Brad Trick
-
Make
redirect_to
return an empty response body.Application controllers that wish to add a response body after calling
redirect_to
can continue to do so.Jon Dufresne
-
Use non-capturing group for subdomain matching in
ActionDispatch::HostAuthorization
Since we do nothing with the captured subdomain group, we can use a non-capturing group instead.
Sam Bostock
-
Fix
ActionController::Live
to copy the IsolatedExecutionState in the ephemeral thread.Since its inception
ActionController::Live
has been copying thread local variables to keep things such asCurrentAttributes
set from middlewares working in the controller action.With the introduction of
IsolatedExecutionState
in 7.0, some of that global state was lost inActionController::Live
controllers.Jean Boussier
-
Fix setting
trailing_slash: true
in route definition.get '/test' => "test#index", as: :test, trailing_slash: true test_path() # => "/test/"
Jean Boussier
-
Make
Session#merge!
stringify keys.Previously
Session#update
would, butmerge!
wouldn't.Drew Bragg
Please check 7-0-stable for previous changes.