Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix loading ActionMailbox::BaseController when CSRF protection is disabled #35935

Merged
merged 1 commit into from Apr 11, 2019
Merged

Fix loading ActionMailbox::BaseController when CSRF protection is disabled #35935

merged 1 commit into from Apr 11, 2019

Conversation

y-yagi
Copy link
Member

@y-yagi y-yagi commented Apr 11, 2019

When default_protect_from_forgery is false, verify_authenticity_token callback does not define and skip_forgery_protection raise exception.

Fixes #34837.

@y-yagi
Fix loading ActionMailbox::BaseController when CSRF protection is d…
1b2f173 
…isabled

When `default_protect_from_forgery` is false, `verify_authenticity_token`
callback does not define and `skip_forgery_protection` raise exception.

Fixes rails#34837.
@y-yagi
Copy link
Member Author

y-yagi commented Apr 11, 2019

cc @georgeclaghorn

@georgeclaghorn georgeclaghorn merged commit 45511fa into rails:master Apr 11, 2019
@y-yagi y-yagi deleted the fixes_34837 branch April 11, 2019 09:53
@brtrick brtrick mentioned this pull request Feb 24, 2022
Merged
brtrick added a commit to brtrick/rails that referenced this pull request Feb 28, 2022
@brtrick
Allow skip_forgery_protection if no protection set
880a1be 
Calling `skip_forgery_protection` without first calling
`protect_from_forgery`--either manually or through default
settings--raises an `ArgumentError` because `verify_authenticity_token`
has not been defined as a callback.

Since Rails 7.0 adds `skip_forgery_protection` to the
`Rails::WelcomeController` (PR rails#42864), this behavior means that setting
`default_protect_from_forgery` to false and visiting the Rails Welcome
page (`/`) raises an error.

This behavior also created an issue for `ActionMailbox` that was
previously fixed in the Mailbox controller by running
`skip_forgery_protection` only if `default_protect_from_forgery` was
true (PR rails#35935).

This PR addresses the underlying issue by setting the `raise` option for
`skip_before_action` to default to false inside
`skip_forgery_protection`.

The fix is implemented in `request_forgery_protection.rb`. The change to
`ActionMailbox`'s `base_controller.rb` removes the now-unnecessary
check of `default_protect_from_forgery`.

The tests added in `request_forgery_protection_test.rb` and
`routing_test.rb` both raise an error when run against the current
codebase and pass with the changes noted above.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actionmailbox
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@y-yagi @georgeclaghorn