TheOdinProject
Rails: update first form project description to account for default form submission behavior with Turbo
Checks
- [X] This is not a duplicate of an existing issue (please have a look through our open issues list to make sure)
- [X] I have thoroughly read and understand The Odin Project Contributing Guide
- [X] Would you like to work on this issue?
Describe your suggestion
In the first rails form project, it is advised to start by writing the first form HTML manually, without using rails helpers. Step 1 mentions "You don’t want to forget about safety, so make sure you provide the form with an authenticity token. If you don’t remember how to do so, go back to the Form Basics lesson and refresh your memory."
This link points to a section of the rails form basic lesson where it suggests that "You’ll either get an error or your user session will get zeroed out (depending on your Rails version)".
But in practice, when writing the form HTML manually without hidden element with the form authentication token, the form still submits successfully without CSRF error and a record is created.
This appears to be because forms are now submitted with Turbo by default, and in this case, the token generated with the csrf tag in "head" in application.html.erb is the one that is required and validated when the form is submitted.
Alternatively, when setting data-turbo="false" on the form element to disable submission via turbo, and still omitting the hidden element with the form authenticity token, the csrf error is triggered as expected.
It could be beneficial to clarify this behavior in the project task description and/ or in the rails form basics lesson.
Path
Ruby / Rails
Lesson Url
https://www.theodinproject.com/lessons/ruby-on-rails-forms
(Optional) Discord Name
jegK
(Optional) Additional Comments
No response
Yeah this was written before turbo so it will have changed. I think we need to do a Turbo and heading towards Rails 8 overhaul of the TOP content.
This issue is stale because it has had no activity for the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
yeah sure. I d be happy to propose a local fix to this lesson if you guys are intrested.
Regarding this comment from @CouchofTomato
Yeah this was written before turbo so it will have changed. I think we need to do a Turbo and heading towards Rails 8 overhaul of the TOP content.
I haven t progress much further, so I don't have the overview, but I suspect there are many more places that may need rewriting in light of turbo + rails 8 upgrades. so not sure how meaningful it is to update this section only, and I would not be qualified for this large scale overhaul...
Just let me know if you re interested in a local fix and i ll propose something, keeping the tasks the same, but adding a warning on how to disable turbo for the sake of the exercise and get expected behavior with/without adding csrf tag in the form.
Thanks @jg-k
I'm happy with a local fix. I've started drafting a course update but it won't be done for a little while yet.
@CouchofTomato @JoshDevHub I proposed something in the linked PR. Let me know your thoughts!