Merge pull request rails#44537 from brtrick/fix-skip-forgery-protection

matthewd · web-flow · commit 1cf3fde2d963 · 2022-02-28T15:24:59.000+10:30
Allow skip_forgery_protection if no protection set
diff --git a/actionmailbox/app/controllers/action_mailbox/base_controller.rb b/actionmailbox/app/controllers/action_mailbox/base_controller.rb
@@ -3,7 +3,7 @@
 module ActionMailbox
   # The base class for all Action Mailbox ingress controllers.
   class BaseController < ActionController::Base
-    skip_forgery_protection if default_protect_from_forgery
+    skip_forgery_protection
 
     before_action :ensure_configured
 
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,12 @@
+*   Fix `skip_forgery_protection` to run without raising an error if forgery
+    protection has not been enabled / `verify_authenticity_token` is not a
+    defined callback.
+
+    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
+    `ArgumentError` if `default_protect_from_forgery` is false.
+
+    *Brad Trick*
+
 *   Make `redirect_to` return an empty response body.
 
     Application controllers that wish to add a response body after calling
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -155,7 +155,7 @@ def protect_from_forgery(options = {})
       #
       # See +skip_before_action+ for allowed options.
       def skip_forgery_protection(options = {})
-        skip_before_action :verify_authenticity_token, options
+        skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)
       end
 
       private
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -190,6 +190,11 @@ class SkipProtectionController < ActionController::Base
   attr_accessor :skip_requested
 end
 
+class SkipProtectionWhenUnprotectedController < ActionController::Base
+  include RequestForgeryProtectionActions
+  skip_forgery_protection
+end
+
 # common test methods
 module RequestForgeryProtectionTests
   def setup
@@ -1121,3 +1126,14 @@ def assert_not_blocked(&block)
     assert_response :success
   end
 end
+
+class SkipProtectionWhenUnprotectedControllerTest < ActionController::TestCase
+  def test_should_allow_skip_request_when_protection_is_not_set
+    assert_not_blocked { post :index }
+  end
+
+  def assert_not_blocked(&block)
+    assert_nothing_raised(&block)
+    assert_response :success
+  end
+end
diff --git a/railties/test/application/routing_test.rb b/railties/test/application/routing_test.rb
@@ -747,5 +747,17 @@ def index
       get "/"
       assert_equal 200, last_response.status
     end
+
+    test "request to rails/welcome is successful when default_protect_from_forgery is false" do
+      add_to_config <<-RUBY
+        config.action_dispatch.show_exceptions = false
+        config.action_controller.default_protect_from_forgery = false
+      RUBY
+
+      app "development"
+
+      get "/"
+      assert_equal 200, last_response.status
+    end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ def protect_from_forgery(options = {})`
`155`	`155`	`#`
`156`	`156`	`# See +skip_before_action+ for allowed options.`
`157`	`157`	`def skip_forgery_protection(options = {})`
`158`		`- skip_before_action :verify_authenticity_token, options`
	`158`	`+ skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)`
`159`	`159`	`end`
`160`	`160`
`161`	`161`	`private`