Rails: update first form project description to account for default form submission behavior with Turbo #28932
Comments
jg-k
changed the title
jg-k
changed the title
|
@TheOdinProject/rails-path thoughts? |
|
Yeah this was written before turbo so it will have changed. I think we need to do a Turbo and heading towards Rails 8 overhaul of the TOP content. |
|
This issue is stale because it has had no activity for the last 30 days. |
github-actions
bot
added
the
Status: Stale
|
@jg-k Are you still interested in working on this issue? |
JoshDevHub
removed
the
Status: Stale
|
yeah sure. I d be happy to propose a local fix to this lesson if you guys are intrested. Regarding this comment from @CouchofTomato
I haven t progress much further, so I don't have the overview, but I suspect there are many more places that may need rewriting in light of turbo + rails 8 upgrades. so not sure how meaningful it is to update this section only, and I would not be qualified for this large scale overhaul... Just let me know if you re interested in a local fix and i ll propose something, keeping the tasks the same, but adding a warning on how to disable turbo for the sake of the exercise and get expected behavior with/without adding csrf tag in the form. |
|
Thanks @jg-k I'm happy with a local fix. I've started drafting a course update but it won't be done for a little while yet. |
|
@CouchofTomato @JoshDevHub |
Checks
Describe your suggestion
In the first rails form project, it is advised to start by writing the first form HTML manually, without using rails helpers.
Step 1 mentions
"You don’t want to forget about safety, so make sure you provide the form with an authenticity token. If you don’t remember how to do so, go back to the Form Basics lesson and refresh your memory."
This link points to a section of the rails form basic lesson where it suggests that "You’ll either get an error or your user session will get zeroed out (depending on your Rails version)".
But in practice, when writing the form HTML manually without hidden element with the form authentication token, the form still submits successfully without CSRF error and a record is created.
This appears to be because forms are now submitted with Turbo by default, and in this case, the token generated with the csrf tag in "head" in
application.html.erbis the one that is required and validated when the form is submitted.Alternatively, when setting
data-turbo="false"on the form element to disable submission via turbo, and still omitting the hidden element with the form authenticity token, the csrf error is triggered as expected.It could be beneficial to clarify this behavior in the project task description and/ or in the rails form basics lesson.
Path
Ruby / Rails
Lesson Url
https://www.theodinproject.com/lessons/ruby-on-rails-forms
(Optional) Discord Name
jegK
(Optional) Additional Comments
No response
The text was updated successfully, but these errors were encountered: