Deprecate method "match" in routes.rb #5964
Comments
|
👍 |
|
👍 |
1 similar comment
|
👍 |
|
I agree. |
nordringrayhide
pushed a commit
to nordringrayhide/rails
that referenced
this issue
May 2, 2012
In the current router DSL, using the +match+ DSL method will match all verbs for the path to the specified endpoint. In the vast majority of cases, people are currently using +match+ when they actually mean +get+. This introduces security implications. This commit disallows calling +match+ without an HTTP verb constraint by default. To explicitly match all verbs, this commit also adds a :via => :all option to +match+. Closes rails#5964
vosechu
referenced
this issue
in lavapj/commuterapp
Apr 17, 2013
Updated .gitignore with more temp files;
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My proposal is to announce 'match' method in routes.rb as deprecated and later(e.g. rails 5.0) put it to "private methods" section.
It will encourage people to use "pure" restful methods-verbs like put post get etc and will raise knowledge of their meaning and goal. (GET for retrieving data, POST for state changing requests)
Why? - my points are described at http://homakov.blogspot.com/2012/04/whitelist-your-routes-match-is-evil.html
I would love to hear your viewpoint or just a few words on the subject, thanks for taking into account!
/cc @dhh @wycats and others
The text was updated successfully, but these errors were encountered: