In the first rails form project, it is advised to start by writing the first form HTML manually, without using rails helpers.
Step 1 mentions
"You don’t want to forget about safety, so make sure you provide the form with an authenticity token. If you don’t remember how to do so, go back to the Form Basics lesson and refresh your memory."
This link points to a section of the rails form basic lesson where it suggests that "You’ll either get an error or your user session will get zeroed out (depending on your Rails version)".
But in practice, when writing the form HTML manually without hidden element with the form authentication token, the form still submits successfully without CSRF error and a record is created.
This appears to be because forms are now submitted with Turbo by default, and in this case, the token generated with the csrf tag in "head" in application.html.erb is the one that is required and validated when the form is submitted.
Alternatively, when setting data-turbo="false" on the form element to disable submission via turbo, and still omitting the hidden element with the form authenticity token, the csrf error is triggered as expected.
It could be beneficial to clarify this behavior in the project task description and/ or in the rails form basics lesson.
Checks
Describe your suggestion
In the first rails form project, it is advised to start by writing the first form HTML manually, without using rails helpers. Step 1 mentions "You don’t want to forget about safety, so make sure you provide the form with an authenticity token. If you don’t remember how to do so, go back to the Form Basics lesson and refresh your memory."
This link points to a section of the rails form basic lesson where it suggests that "You’ll either get an error or your user session will get zeroed out (depending on your Rails version)".
But in practice, when writing the form HTML manually without hidden element with the form authentication token, the form still submits successfully without CSRF error and a record is created.
This appears to be because forms are now submitted with Turbo by default, and in this case, the token generated with the csrf tag in "head" in
application.html.erb
is the one that is required and validated when the form is submitted.Alternatively, when setting
data-turbo="false"
on the form element to disable submission via turbo, and still omitting the hidden element with the form authenticity token, the csrf error is triggered as expected.It could be beneficial to clarify this behavior in the project task description and/ or in the rails form basics lesson.
Path
Ruby / Rails
Lesson Url
https://www.theodinproject.com/lessons/ruby-on-rails-forms
(Optional) Discord Name
jegK
(Optional) Additional Comments
No response