From 56cdc81c08b1847c5c1f699810a8c3b9ac3715a6 Mon Sep 17 00:00:00 2001
From: Jose and Yehuda <wycats@gmail.com>
Date: Tue, 24 Apr 2012 22:32:09 -0500
Subject: Remove default match without specified method

In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes #5964
---
 actionpack/test/template/test_test.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/test/template/test_test.rb')

diff --git a/actionpack/test/template/test_test.rb b/actionpack/test/template/test_test.rb
index adcbf1447f..108a674d95 100644
--- a/actionpack/test/template/test_test.rb
+++ b/actionpack/test/template/test_test.rb
@@ -48,7 +48,7 @@ class PeopleHelperTest < ActionView::TestCase
     def with_test_route_set
       with_routing do |set|
         set.draw do
-          match 'people', :to => 'people#index', :as => :people
+          get 'people', :to => 'people#index', :as => :people
         end
         yield
       end
-- 
cgit v1.2.3