Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any Security Constraints to turbo_method: 'post' functionality? #648

Open
jonmchan opened this issue Jul 22, 2024 · 1 comment
Open

Any Security Constraints to turbo_method: 'post' functionality? #648

jonmchan opened this issue Jul 22, 2024 · 1 comment

Comments

@jonmchan
Copy link

I'm migrating from UJS to turbo, changing links from link_to "Activate Product", '/product/33/activate', method: 'post' to link_to "Activate Product", '/product/33/activate', { data: {turbo_method: 'post'}}. The link is from a page served from /admin/products/33. The turbo code will not honor the POST method unless I change the url to be from a similar parent location (/admin/products/33/activate works). Does turbo have any security constraints that prevents you from turning any link into a POST? Are others having this issue? Is this documented? Or am I the only one experiencing this?
@p8
Copy link
Contributor

p8 commented Nov 14, 2024

You probably want to use button_to instead when doing a POST, PUT, DELETE.
This makes sure it works without javascript and adds the autheticity_token to the form:
https://edgeapi.rubyonrails.org/classes/ActionView/Helpers/UrlHelper.html#method-i-button_to

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@p8 @jonmchan