Hidden actions render templates

Sometimes you have to temporarely exclude actions from a controller or someone just forgot to remove legacy actions. The hide_action method can be used in controllers to hide the given methods from being callable as actions. However, it might not work as expected, because it still renders the template associated with it, but it doesn’t call the code in the action method. This could be a security issue if the template contained only text or if it didn’t throw errors on nil objects.

Now, one could think that moving an action to the protected or private part of the controller solves the problem and hides the methods from being callable as actions. No, this is the same problem. The only way to actually hide actions is to remove them altogether or remove the route for it. Remember that there might be the standard route still in place.