> On Sep 30, 3:43 am, "Michael Koziarski" <[EMAIL PROTECTED]> wrote:
> > This does sound like a bug or misconfiguration somewhere along the
> > line. The request verification logic should trigger *everything*
> > that isn't a :get and doesn't have a content-type of one of these:
>
> > @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss,
> > :atom, :yaml]
>
I see the issue now. ActionController:Base includes
RequestForgeryProtection, which defines this method:
def verifiable_request_format?
request.content_type.nil? || request.content_type.verify_request?
end
That first part (request.content_type.nil?) always returns true for
DELETE requests, because ActiveResource only sends an Accept header:
# connection.rb
HTTP_FORMAT_HEADER_NAMES = { :get => 'Accept',
:put => 'Content-Type',
:post => 'Content-Type',
:delete => 'Accept'
}
I think the Delete request needs to send both headers, since I think
ActiveResource wants to receive the deleted content as well.
So far my attempts to send both headers are breaking existing tests,
so I'm working on updating the tests.
Thanks
Jeff
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
