In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
My proposal is to announce 'match' method in routes.rb as deprecated and later(e.g. rails 5.0) put it to "private methods" section.
It will encourage people to use "pure" restful methods-verbs like put post get etc and will raise knowledge of their meaning and goal. (GET for retrieving data, POST for state changing requests)
Why? - my points are described at http://homakov.blogspot.com/2012/04/whitelist-your-routes-match-is-evil.html
I would love to hear your viewpoint or just a few words on the subject, thanks for taking into account!
/cc @dhh @wycats and others
The text was updated successfully, but these errors were encountered: