-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates configuring.md to be more clear on framework defaults #37586
Conversation
I was confused in looking through the documentation. It seems that for brand new applications, `config.action_controller.default_protect_from_forgery` is `true`. Only when upgrading, and before you flip the new framework defaults, it is `false`. Currently, the docs say: > config.action_controller.default_protect_from_forgery determines whether forgery protection is added on ActionController::Base. This is false by default. However, a little bit further it says (in https://edgeguides.rubyonrails.org/configuring.html#with-5-2): > config.action_controller.default_protect_from_forgery: true Additionally, `config/initializers/new_framework_defaults_5_2.rb` says: > This file contains migration options to ease your Rails 5.2 upgrade. > Once upgraded flip defaults one by one to migrate to the new default. ... > # Rails.application.config.action_controller.default_protect_from_forgery = true It seems to me that the default is actually `true`.
By default
To apply the framework defaults we use |
Thanks - I did not see that. I'm still not completely clear. What calls Thanks in advance! Somehow I am not understanding what I read from the docs. Edit: I now see that Here is the exact scenario that led to my confusion:
|
@systemnate Please read #34855 (comment). I also opened PR to clarify docs of |
Thanks for the additional history and new PR. I think it is an improvement; however, I would still be confused if I were to read it for the first time again. In the comment you linked to, @rafaelfranca said:
Can you help me understand why it is essential to talk about the defaults when no railtie code is applied? It appears that the reason is to avoid someone removing Existing verbiage:
|
@@ -440,7 +440,7 @@ The schema dumper adds two additional configuration options: | |||
|
|||
* `config.action_controller.per_form_csrf_tokens` configures whether CSRF tokens are only valid for the method/action they were generated for. | |||
|
|||
* `config.action_controller.default_protect_from_forgery` determines whether forgery protection is added on `ActionController::Base`. This is false by default. | |||
* `config.action_controller.default_protect_from_forgery` determines whether forgery protection is added on `ActionController::Base`. For new applications, the default is true. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can follow other places and simply say:
This is true by default.
We change a lot of these options, and in this guide we should just mention what the defaults are.
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Summary
I was confused in looking through the documentation. It seems that for brand new applications,
config.action_controller.default_protect_from_forgery
istrue
. Only when upgrading, and before you flip the new framework defaults, it isfalse
.Other Information
Currently, the docs say:
However, a little bit further it says (in https://edgeguides.rubyonrails.org/configuring.html#with-5-2):
Additionally,
config/initializers/new_framework_defaults_5_2.rb
says:It seems to me that the default is actually
true
.