rails--rails

kotovalexarian-likes-github/rails--rails

mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

History

Brad Trick 880a1bedb9 Allow skip_forgery_protection if no protection set Calling `skip_forgery_protection` without first calling `protect_from_forgery`--either manually or through default settings--raises an `ArgumentError` because `verify_authenticity_token` has not been defined as a callback. Since Rails 7.0 adds `skip_forgery_protection` to the `Rails::WelcomeController` (PR #42864), this behavior means that setting `default_protect_from_forgery` to false and visiting the Rails Welcome page (`/`) raises an error. This behavior also created an issue for `ActionMailbox` that was previously fixed in the Mailbox controller by running `skip_forgery_protection` only if `default_protect_from_forgery` was true (PR #35935). This PR addresses the underlying issue by setting the `raise` option for `skip_before_action` to default to false inside `skip_forgery_protection`. The fix is implemented in `request_forgery_protection.rb`. The change to `ActionMailbox`'s `base_controller.rb` removes the now-unnecessary check of `default_protect_from_forgery`. The tests added in `request_forgery_protection_test.rb` and `routing_test.rb` both raise an error when run against the current codebase and pass with the changes noted above.	2022-02-27 21:58:42 -05:00
..
action_mailbox	Allow skip_forgery_protection if no protection set	2022-02-27 21:58:42 -05:00
rails/conductor	Permit attachments in mailbox conductor params	2021-07-02 16:56:16 -04:00

Brad Trick 880a1bedb9 Allow skip_forgery_protection if no protection set

Calling `skip_forgery_protection` without first calling
`protect_from_forgery`--either manually or through default
settings--raises an `ArgumentError` because `verify_authenticity_token`
has not been defined as a callback.

Since Rails 7.0 adds `skip_forgery_protection` to the
`Rails::WelcomeController` (PR #42864), this behavior means that setting
`default_protect_from_forgery` to false and visiting the Rails Welcome
page (`/`) raises an error.

This behavior also created an issue for `ActionMailbox` that was
previously fixed in the Mailbox controller by running
`skip_forgery_protection` only if `default_protect_from_forgery` was
true (PR #35935).

This PR addresses the underlying issue by setting the `raise` option for
`skip_before_action` to default to false inside
`skip_forgery_protection`.

The fix is implemented in `request_forgery_protection.rb`. The change to
`ActionMailbox`'s `base_controller.rb` removes the now-unnecessary
check of `default_protect_from_forgery`.

The tests added in `request_forgery_protection_test.rb` and
`routing_test.rb` both raise an error when run against the current
codebase and pass with the changes noted above.

2022-02-27 21:58:42 -05:00

action_mailbox

Allow skip_forgery_protection if no protection set

2022-02-27 21:58:42 -05:00

rails/conductor

Permit attachments in mailbox conductor params

2021-07-02 16:56:16 -04:00