After upgrading to Rails 5.2 I started to get an ActionController::InvalidAuthenticityToken error for all forms in my application. I have worked around this by disabling Turbolinks for all forms, which works but is not a very good solution.
Seaarching the internet, the common solution recommended seems to be to disable protect_from_forgery
skip_before_action :verify_authenticity_token, raise: false
Why would we need to disable protect_from_forgery , and doesn't that create a security hole ?
EDIT
csrf_meta_tags
are in the layout.
For Rails 5.2 default_protect_from_forgery
is enable by default on ActionController::Base
.
You can disable it using the following syntax as explained in the PR .
config.action_controller.default_protect_from_forgery = false
Ref from the docs :
config.action_controller.default_protect_from_forgery determines whether forgery protection is added on ActionController:Base. This is false by default, but enabled when loading defaults for Rails 5.2.
For rails 5.2 I had to add these to lines inside controller I had a issue:
skip_before_action :verify_authenticity_token, raise: false
skip_after_action :verify_authorized
and it worked in my case.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.