Added notes to Routing documentation and routes.rb regarding defaults routes opening the whole application for GET requests

Signed-off-by: Michael Koziarski <michael@koziarski.com>

2 files changed, 6 insertions, 0 deletions

diff --git a/actionpack/lib/action_controller/routing.rb b/actionpack/lib/action_controller/routing.rb
index 8846dcc504..dfbaa53b7c 100644
--- a/actionpack/lib/action_controller/routing.rb
+++ b/actionpack/lib/action_controller/routing.rb
@@ -88,6 +88,10 @@ module ActionController
   #
   #   map.connect ':controller/:action/:id', :action => 'show', :defaults => { :page => 'Dashboard' }
   #
+  # Note: The default routes, as provided by the Rails generator, make all actions in every
+  # controller accessible via GET requests. You should consider removing them or commenting
+  # them out if you're using named routes and resources.
+  #
   # == Named routes
   #
   # Routes can be named with the syntax <tt>map.name_of_route options</tt>,
diff --git a/railties/configs/routes.rb b/railties/configs/routes.rb
index b579d6c7d1..4f3d9d22dd 100644
--- a/railties/configs/routes.rb
+++ b/railties/configs/routes.rb
@@ -36,6 +36,8 @@ ActionController::Routing::Routes.draw do |map|
   # See how all your routes lay out with "rake routes"
 
   # Install the default routes as the lowest priority.
+  # Note: These default routes make all actions in every controller accessible via GET requests. You should
+  # consider removing the them or commenting them out if you're using named routes and resources.
   map.connect ':controller/:action/:id'
   map.connect ':controller/:action/:id.:format'
 end