Why “Not use default route”?

In my Rails Best Practices slides, I only give simple code without any description (unless you heard my talk :p), so let me explain here.

my point is: “If you use RESTful design, you should NOT use default route.” Why?

For example:

map.resources :users
map.connect ':controller/:action/:id'
map.connect ':controller/:action/:id.:format'

You expect only “PUT /users/1” will update user data, but because you keep default route, so “GET /users/update/1?user[email]=foobar@example.org” still works!!

In the same way, “GET /users/create” and “GET /users/destroy/1” works too!! Even worse, the latter can create/update/destroy data without Request Forgery Protection :/ Rails does not check CRSF for HTTP GET.

Conclusion: Remove default route, use purely resource-based routes and named routes for special purpose.