Fixed passing of delete method on button_to tag, creating wrong form csrf token

Fixes #23524
author: Vipul A M <vipulnsward@gmail.com> 2016-02-18 17:38:19 +0530
committer: Vipul A M <vipulnsward@gmail.com> 2016-02-21 23:20:55 +0530
commit: 92203d754f535c01c5ec3175627425d20e3d2839 (patch)
tree: d699582ee11ce7e5c1fbec4310527a033d87a05d /actionview/lib/action_view/helpers/url_helper.rb
parent: 3156a7692c3c51adb846252192364172b05bd67f (diff)
download: rails-92203d754f535c01c5ec3175627425d20e3d2839.tar.gz
rails-92203d754f535c01c5ec3175627425d20e3d2839.tar.bz2
rails-92203d754f535c01c5ec3175627425d20e3d2839.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index 87218821ed..4d82cbd469 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -311,8 +311,8 @@ module ActionView
         form_options[:action] = url
         form_options[:'data-remote'] = true if remote
 
-        request_token_tag = if form_method == 'post'
-          token_tag(nil, form_options: form_options)
+        request_token_tag = if (form_method == 'post' || method == 'delete')
+          token_tag(nil, form_options: form_options.merge(method: method))
         else
           ''
         end
author	Vipul A M <vipulnsward@gmail.com>	2016-02-18 17:38:19 +0530
committer	Vipul A M <vipulnsward@gmail.com>	2016-02-21 23:20:55 +0530
commit	92203d754f535c01c5ec3175627425d20e3d2839 (patch)
tree	d699582ee11ce7e5c1fbec4310527a033d87a05d /actionview/lib/action_view/helpers/url_helper.rb
parent	3156a7692c3c51adb846252192364172b05bd67f (diff)
download	rails-92203d754f535c01c5ec3175627425d20e3d2839.tar.gz rails-92203d754f535c01c5ec3175627425d20e3d2839.tar.bz2 rails-92203d754f535c01c5ec3175627425d20e3d2839.zip