-
Notifications
You must be signed in to change notification settings - Fork 21.6k
New issue
Have a question about this project?Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of serviceand privacy statement.We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActionController::InvalidAuthenticityToken when submitting a form via button withformmethod::delete
#52290
Comments
After debugging Most likely because defper_form_csrf_token(session,action_path,method)#:doc:
csrf_token_hmac(session,[action_path,method.downcase].join("#"))
end creates the token for the original method (PATCH) in |
Okay, so disabling per-form tokens fixes the issue: Should that be documented in the guides about button's This works with Hotwire, because then it uses the global CSRF token from meta tags, not the method-specific one generated for this form. |
formaction::delete
formmethod::delete
This seems like a bug to me. Not only is the token generated using the wrong identifier (it uses the method in the form rather than I looked into the code, and fi xing this might not be straightforward. The If we can access rails/actionview/lib/action_view/helpers/form_helper.rb Lines 774 to 779 in ef08762
|
I think this could be approached in the opposite direction. When calling
That won't work IMO because one can have multiple submit buttons with different |
@pokonskiYou are right. I wasn't aware of the use cases for multiple submit buttons. In that case, moving |
This issue has been automatically marked as stale because it has not been commented on for at least three months. |
Steps to reproduce
rails _7.2.0.beta2_ new csrf_repro -d sqlite3
rails g scaffold Products
app/views/products/show.html.erb
with following:Repo with the project repro:https://github /pokonski/csrf_repro
Expected behavior
products#destroy action should be properly executed and product removed.
The docs suggest this is possible (https://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-patch-put-or-delete-methods-work-questionmark) b
Actual behavior
ActionController::InvalidAuthenticityToken
is raised instead when Hotwire is disabled (via Javascript disable or just removing it from application.js)The difference seems to be in how
_method
param is submitted:_method
param appears twice with both the original method (patch
) anddelete
Issue is present in both Firefox 127 and Chrome 126
System configuration
Rails version:7.2.0-beta2
Ruby version:ruby 3.2.0 (2022-12-25 revision a528908271) [arm64-darwin23]
The text was updated successfully, but these errors were encountered: