From a31b07d63708e3a567542624f1d282089eaf4db5 Mon Sep 17 00:00:00 2001
From: vangberg <harry@vangberg.name>
Date: Tue, 16 Jun 2026 08:22:44 +0200
Subject: [PATCH] Use Rails 5.2 defaults

The one necessary change was to remove `protect_from_forgery(with: :exception)`
since this is now implicitly part of the controller callbacks. Verified with:

```
% bundle exec rails runner 'ApplicationController._process_action_callbacks.select { |cb| cb.kind == :before }.each_with_index { |cb, i| puts "#{i+1}: #{cb.filter.inspect}" }'
1: :verify_authenticity_token
2: :set_turbolinks_location_header_from_session
3: :check_api!
4: :store_user_location!
```

which still includes `verify_authenticity_token`.

Part of #277.
---
 app/controllers/application_controller.rb | 1 -
 config/application.rb                     | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ffd6a98d..cdb4a347 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,7 +1,6 @@
 class ApplicationController < ActionController::Base
   include PageHelper
 
-  protect_from_forgery(with: :exception)
   before_action(:check_api!)
   before_action(:store_user_location!, if: :storable_location?)
 
diff --git a/config/application.rb b/config/application.rb
index d3bd5efb..d6da8ebf 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -9,7 +9,7 @@
 module CandidatusExcubia
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 5.1
+    config.load_defaults 5.2
 
     # Boolean handling of SQLite3
     config.active_record.sqlite3&.represent_boolean_as_integer = true