Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rails support should handle normal hidden tags #5

Closed
nirvdrum opened this issue Oct 26, 2013 · 4 comments
Closed

Rails support should handle normal hidden tags #5

nirvdrum opened this issue Oct 26, 2013 · 4 comments

Comments

@nirvdrum
Copy link

The built-in Rails form_for helper sets up some hidden tags that Rails essentially needs to process forms correctly under normal circumstances. These include a utf8 field, the HTTP method (as _method), and the authenticity_token for CSRF protection. I guess remote is another if using the remote form stuff, but I don't think that really needs to be handled.
@jeremyevans
Copy link
Owner

I don't think that forme's Rails support should do something just because Rails form_for does so.

I do agree that the authenticity_token should be added automatically for forms using POST, and I'd like to support that on Sinatra as well using rack-csrf.

Personally, I've always thought that Rails' way of trying to fake HTTP verbs that browsers do not support is stupid. I suppose there are Rails applications that rely on it (though none of my Rails apps do), but as it is not strictly necessary, I don't think the method should be added by default.

The utf8 tag I don't think should be added automatically by default either, as I don't like forcing an encoding on people.

That's not to say that we can't add options that add the method and utf8 tags automatically, I just don't want it to be the default.

Ideally the underlying implementation for this this would be something transformer-like that is applied to all new Form objects at the end of Form#initialize. The tricky thing about it is making sure the transformer has the ability to access the necessary context containing the authenticity token.

@nirvdrum
Copy link
Author

Is there a better approach than using _method? Browsers can only do GET or POST (excluding XMLHttpRequest) and I'm not aware of any other other way to get Rails to handle a PUT or DELETE than the _method param. I don't think it's great practice either, but I'm just trying to play with the hand I've been dealt.

@jeremyevans
Copy link
Owner

Personally, since browsers only do GET and POST, I don't use other HTTP verbs for actions that I want a browser to execute. For non-browser based applications, I think other HTTP verbs are fine. Considering that forme is a HTML form library designed for browsers, by design it only uses GET and POST.

I do understand playing the hand you've been dealt, and certainly think it would be generally be useful to have a transformer/callback so that all forms created by forme can be modified in a way that suits the app, instead of having to do the same modifications in each call. This even affects my personal usage of forme, since currently I have to add CSRF tags to all POST forms manually.

@jeremyevans
Copy link
Owner

Please give this a shot and let me know if it works for you. I think it should be flexible enough to handle most needs.

@janko janko mentioned this issue May 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremyevans @nirvdrum