Skip to content

Commit 3979403

Browse files
committed
Change the protect_from_forgery prepend default to false
Per this comment #18334 (comment) we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
1 parent ba1bfa7 commit 3979403

File tree

3 files changed

+32
-9
lines changed

3 files changed

+32
-9
lines changed

actionpack/CHANGELOG.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,26 @@
1+
* Change the `protect_from_forgery` prepend default to `false`
2+
3+
Per this comment
4+
https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want
5+
`protect_from_forgery` to default to `prepend: false`.
6+
7+
`protect_from_forgery` will now be insterted into the callback chain at the
8+
point it is called in your application. This is useful for cases where you
9+
want to `protect_from_forgery` after you perform required authentication
10+
callbacks or other callbacks that are required to run after forgery protection.
11+
12+
If you want `protect_from_forgery` callbacks to always run first, regardless of
13+
position they are called in your application then you can add `prepend: true`
14+
to your `protect_from_forgery` call.
15+
16+
Example:
17+
18+
```ruby
19+
protect_from_forgery prepend: true
20+
```
21+
22+
* Eileen M. Uchitelle*
23+
124
* In url_for, never append a question mark to the URL when the query string
225
is empty anyway. (It used to do that when called like `url_for(controller:
326
'x', action: 'y', q: {})`.)

actionpack/lib/action_controller/metal/request_forgery_protection.rb

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -102,21 +102,21 @@ module ClassMethods
102102
#
103103
# Valid Options:
104104
#
105-
# * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. Like <tt>only: [ :create, :create_all ]</tt>.
105+
# * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
106106
# * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
107-
# * <tt>:prepend</tt> - By default, the verification of the authentication token is added to the front of the
108-
# callback chain. If you need to make the verification depend on other callbacks, like authentication methods
109-
# (say cookies vs OAuth), this might not work for you. Pass <tt>prepend: false</tt> to just add the
110-
# verification callback in the position of the protect_from_forgery call. This means any callbacks added
111-
# before are run first.
107+
# * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
108+
# protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
109+
# when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
110+
#
111+
# If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
112112
# * <tt>:with</tt> - Set the method to handle unverified request.
113113
#
114114
# Valid unverified request handling methods are:
115115
# * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
116116
# * <tt>:reset_session</tt> - Resets the session.
117117
# * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
118118
def protect_from_forgery(options = {})
119-
options = options.reverse_merge(prepend: true)
119+
options = options.reverse_merge(prepend: false)
120120

121121
self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
122122
self.request_forgery_protection_token ||= :authenticity_token

actionpack/test/controller/request_forgery_protection_test.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -540,10 +540,10 @@ def test_verify_authenticity_token_is_not_prepended
540540
assert_equal(expected_callback_order, @controller.called_callbacks)
541541
end
542542

543-
def test_verify_authenticity_token_is_prepended_by_default
543+
def test_verify_authenticity_token_is_not_prepended_by_default
544544
@controller = PrependDefaultController.new
545545
get :index
546-
expected_callback_order = ["verify_authenticity_token", "custom_action"]
546+
expected_callback_order = ["custom_action", "verify_authenticity_token"]
547547
assert_equal(expected_callback_order, @controller.called_callbacks)
548548
end
549549
end

0 commit comments

Comments
 (0)