I am submitting a simple ajax delete request like so:
#invitation_actions
=link_to "delete", invitation_path(invitation), :method=>:delete, :remote=>true, :class=>"remove", :confirm=>'Are you sure you?'
Note that the page that has the request contains the authenticity_token thanks to the csrf_meta_tag tag that is included in all the pages.
When I look in the logs I see that the delete request is missing the authenticity_token:
Started DELETE “/invitations/5” for 127.0.0.1 at 2011-04-22 11:21:21 -0700
Processing by InvitationsController#destroy as
Parameters: {“id”=>”5”}
Now if I remove the “:remote=>:true” from the code, i.e. I do a regular page load the delete works and I see the following in the log file:
Started POST “/invitations/10” for 127.0.0.1 at 2011-04-22 12:52:19 -0700
Processing by InvitationsController#destroy as HTML
Parameters: {“authenticity_token”=>”qlT8uX/WGQeOQSmVZzw1v8rFdSTHDRbzNY0zpSc9mV0=”, “id”=>”5”}
Why is it a DELETE in the AJAX case and a POST in the non AJAX case?
Why the DELETE does not include the authenticity_token?
Thanks for any help.
The first possible cause for your issue (that I can think of) is that if your UJS script is more than a couple of months old you may need to update it to the latest version in order for your application to send the authenticity token with AJAX requests.
This change in behaviour occurred in February 2011, which meant that all Rails UJS scripts had to be updated:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
The second part of your question asks about the HTTP POST verb being used for a delete when a non-AJAX case. This is because Rails has to simulate REST form handling since browsers don’t implement all 4 HTTP verbs e.g. GET, POST, PUT & DELETE, because these verbs aren’t valid in HTML.
JavaScript (AJAX) can do the real thing because it controls the headers that are sent to your AJAX endpoint.