Why “Not use default route”?

Posted on by

In my Rails Best Practices slides, I only give simple code without any description (unless you heard my talk :p), so let me explain here.

my point is: “If you use RESTful design, you should NOT use default route.” Why?

For example:


map.resources :users
map.connect ':controller/:action/:id'
map.connect ':controller/:action/:id.:format'

You expect only “PUT /users/1″ will update user data, but because you keep default route, so “GET /users/update/1?user[email]=foobar@example.org” still works!!

In the same way, “GET /users/create” and “GET /users/destroy/1″ works too!! Even worse, the latter can create/update/destroy data without Request Forgery Protection :/ Rails does not check CRSF for HTTP GET.

Conclusion: Remove default route, use purely resource-based routes and named routes for special purpose.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">