Closed stxss closed 1 year ago
Hey @stxss
Thanks for your feedback.
The lesson before, Form Basics, does mention about this but I agree it's not clear here at all. I think we just need to handle this in part1 of the HTML form section of the project where we can mention that they will need to provide the authenticity token as advised in the previous lesson.
What do you think?
Hello @CouchofTomato
Yup, I agree with your proposition.
Do you think that a quick mention of the form_authenticity_token
from the previous lesson as a reminder should be enough?
@stxss Yes I think so. Are you happy for me to assign it to you?
@CouchofTomato yes, I'm happy to help.
@stxss all yours mate
Describe your suggestion
In the Project: Forms, before the
forms_tag
part, the log output examples presented had an authenticity token present, where no mention of it was made anywhere in the lesson.So, for example, in the HTML form part of the assignment, where the student is asked to create a simple html form and proceed with the guide, the expected output for the Parameters is:
Parameters: {"authenticity_token" => "WUaJBOpLhFo3Mt2vlEmPQ93zMv53sDk6WFzZ2YJJQ0M=", "user" =>{ "username" => "foobar", "email" => "foo@bar.com", "password" => "[FILTERED]" } }
Now, when the student submits data, the actual output is similar to this:
Parameters: {"user"=>{"email"=>"foo@bar.com", "username"=>"foobar", "password"=>"[FILTERED]"}}
.Only after this pure HTML form chapter, it is mentioned that the
form_tag
will remove the need for an authenticity token.My issue with this is that it induces confusion in the student, where they expect either a) for an authenticity token to somehow appear or b) that they need to provide it themselves.
In the first case, well, that would be impossible until they reach the refactoring with form_tag part of the chapter. In the second case, the student would have to hardcode an authenticity token, which, even though used in this case as a simple example, can create security issues, so that's not a good habit to have.
I propose that either this is mentioned at the beginning, i.e. something along the lines of warning the student that they can use a random authenticity token just for the sake of the exercise, but shouldn't do so in real applications or altering the examples to have the authenticity token absent.
Path
Ruby / Rails
Lesson Url
https://www.theodinproject.com/lessons/ruby-on-rails-forms
Checks
(Optional) Discord Name
stass#6610
(Optional) Additional Comments
No response