From f7cc8b31913fe25a6a348536292cec00582ee6b5 Mon Sep 17 00:00:00 2001
From: Yutaka Kamei <kamei@yykamei.me>
Date: Fri, 29 Sep 2023 11:45:42 +0900
Subject: [PATCH] Move up the notice to the line of `:with` explanation

---
 .../lib/action_controller/metal/request_forgery_protection.rb  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index bbf0d57ac98..354b1d8eeed 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -129,13 +129,12 @@ module ActionController # :nodoc:
       #
       #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
+      #   Note if <tt>default_protect_from_forgery</tt> is true, Rails call protect_from_forgery with <tt>with :exception</tt>.
       #
       # Built-in unverified request handling methods are:
       # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
-      #   Note if <tt>default_protect_from_forgery</tt> is true, Rails call protect_from_forgery with <tt>with :exception</tt>.
-      #   This might not be intuitive as the method itself treats <tt>:with</tt> as <tt>:null_session</tt> by default.
       #
       # You can also implement custom strategy classes for unverified request handling:
       #