-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: bad default for default_protect_from_forgery
#39387
Conversation
On a new Rails 6 app this defaults to true. It is a bit confusing though, in that [here](https://github.com/rails/rails/blob/v6.0.3.1/railties/lib/rails/application/configuration.rb#L117) it's `true` but [here](https://github.com/rails/rails/blob/v6.0.3.1/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L99) it's false.
Thank you for the PR, I agree it is not perfectly clear, but it is all documented. See https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults. |
@kamipo the problem is the docs contradict themselves. In https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults it says the default value of In https://guides.rubyonrails.org/configuring.html#configuring-action-controller it says the default value of As a user this means I have to go and read the Rails code (or boot a new Rails app and check in the console) if I want to be 100% sure what the actual default is. |
Yeah, As I said the above, the load_defaults strategy (legacy settings by default in the codebase, then overwritten by new defaults in railties) is very confusing to me too. To be honest, I prefer that new defaults by default, then overwritten by legacy defaults if needed, like as Active Record Migration Versioning. |
Hmmm okay. I didn't understand how But even if the strategy is confusing, the docs don't have to be. If I understand right, what you're saying is:
Is that correct? In my opinion that's much too confusing for a casual/new user. It would be much better to assume everyone by now uses |
btw I can move this over to https://discuss.rubyonrails.org/c/a-may-of-wtfs/8 if it makes more sense to discuss there |
@ghiculescu You are probably right. I think a good approach might be to say something like "This is Yes, feel free to make a thread on the May of WTFs forum! That will let others chime in as to whether this is would be helpful. |
Correct.
With which value? That is what is important and what the documentation can't capture. This is why we have a section to explain what it means when each value is passed to For a lot of configs the text would look like: I think that is even more confusing. An alternative is not to talk at all about which is the default value on the config but only in the |
I think listing only the most recent default (at the time of publishing) could be sufficient.
That could work too. It would be a bit less helpful, but it would still prevent confusion, and wouldn't require any maintenance. |
We could improve the entries to add a link like |
I'd be happy with either of these outcomes and am happy to PR either. In both cases it seems like this would remove the contradiction, which is the main thing that bothered me. |
@ghiculescu That would be great! Let's remove the defaults from the various sections, like Rafael suggested. But while you're at it, if you don't mind, could you add another section under "For '5.0'" titled "Baseline defaults", and relocate the defaults there? Then we can leverage the existing structure of the document by changing the "For '5.0':" heading to "For '5.0', baseline defaults from below and:". |
Mentioning the baseline default for a config option can be confusing when that default is overridden by `config.load_defaults`. To avoid that confusion, this commit relocates such baseline defaults from their explanatory paragraphs to a "Baseline defaults" section that flows with the other `config.load_defaults` sections. Ideally, when we override other baseline defaults in the future, we will relocate mention of them as done here. Closes rails#39387.
On a new Rails 6 app this defaults to true.
It is a bit confusing though, in that here it's
true
but here it'sfalse
. Should I update the code to be consistent also?