Is the user who caused the problem friendly or malicious? If (s)he is (or could be) malicious, then perhaps (s)he didn't use a browser to create three records in your database, but instead wrote some code to post three times in quick succession.
I just added a "sleep 5" to my #create method and tried using the "curl" utility to replicate your problem: curl -d"traveler[name]=z" http://localhost:3000/travelers ...but that failed because I didn't set the authenticity token properly. I tried a few different things to figure out how to set it properly, but ultimately gave up and just commented out the #protect_from_forgery call in my application controller. Sure enough, I was able to fire off 3 of these curl commands in quick succession and create 3 new records. If I were of a much more malicious bent, I could probably figure out how to spoof the authenticity token. At this point, I was just trying to figure out an answer to "how could this happen?". If your user isn't malicious and isn't using some sort of automated HTTP screen scraping/updating utility, then I've just wasted your time making you read this. --wpd --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---