Rails CSRF Countermeasures on Users edit and update

Question

I'm setting up security on my Rails App according to the Ruby on Rails Guide.

My understanding is that the 'edit' method in the Users Controller (which I'm using to render my User settings view) should only be submitting a GET request, and that the 'update' method is submitting the POST request. But when I want to verify the types of requests for different methods like this:

#UsersController
verify :method => :post, :only => [:update], :redirect_to => {:action => :show}

the app doesn't save any of changes made to user settings. And if I change the verification to

verify :method => :post, :only => [:update, :edit], :redirect_to => {:action => :show}

I can't even render the settings view.

StackOverflow is usually great at educating me on areas I don't know much about, anyone know what could be going on?

Answer 1

You're close, but a little off. Here are the seven RESTful routes, and what method they use:

1. index: GET
2. show: GET
3. new: GET
4. create: POST
5. edit: GET
6. update: PUT
7. destroy: DELETE

As you can see, updating requires a PUT. It's creating that uses POST. This should fix it:

verify :method => :put, :only => [:update], :redirect_to => {:action => :show}