Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

[getting started guide] more explanation around the delete routing me…

  • Loading branch information...
1 parent 53aaf95 commit 00dce8500952256965723697bb308d0aea7719fd @radar radar committed
Showing with 15 additions and 7 deletions.
  1. +15 −7 guides/source/getting_started.textile
22 guides/source/getting_started.textile
@@ -1063,24 +1063,32 @@ called +post_url+ and +post_path+ available to our application. These are
precisely the methods that the +form_for+ needs when editing a post, and so now
you'll be able to update posts again.
+NOTE: The +:as+ option is available on the +post+, +put+, +delete+ and +match+
+routing methods also.
h4. Deleting Posts
We're now ready to cover the "D" part of CRUD, deleting posts from the
database. Following the REST convention, we're going to add a route for
-deleting posts:
+deleting posts to +config/routes.rb+:
-# config/routes.rb
delete "posts/:id" => "posts#destroy"
-We use the +delete+ method for destroying resources, which is mapped to
-the +destroy+ action, which is provided below:
+The +delete+ routing method should be used for routes that destroy
+resources. If this was left as a typical +get+ route, it could be possible for
+people to craft malicious URLs like this:
-# app/controllers/posts_controller.rb
+<a href=''>look at this cat!</a>
+We use the +delete+ method for destroying resources, and this route is mapped to
+the +destroy+ action inside +app/controllers/posts_controller.rb+, which doesn't exist yet, but is
+provided below:
def destroy
@post = Post.find(params[:id])

0 comments on commit 00dce85

Please sign in to comment.
Something went wrong with that request. Please try again.