On Thu, Apr 1, 2010 at 1:08 AM, Frederick Cheung <frederick.che...@gmail.com > wrote:
> Without getting into the debate about how idempotent GET requests > really are I'd suspect that these days most people are using restful > routes. If you use restful routes and remove the default route then > it's not possible invoke (eg) a create action from a get request. > A fair point. Though certainly the use of restful routing is optional and even if used in most cases, I'd wager it is common to find important code happening outside it. In those cases, we have a fail-open scenario with the current filter. The hard part is coming up with a fail-closed filter that will catch these but isn't also a pain to manage for normal requests. At the moment, I cannot think of an elegant solution, this is just one of those things where developer diligence is the solution to security. I'm just concerned the framework-blessed blanket solution is creating a lurking risk in the ecosystem of rails apps. On a related note, does anyone know if rails 3 is taking a different approach to this issue? jsw -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.