Which is the "correct" way to do verb-constrained non-resource routes. Not ever routing the wrong verb is even better than checking it in the controller.
call me a bad coder but when I used rails 2.3 I had never seen it in production code.
Ok, then you're a bad coder. All Rails applications I've ever worked on had those checks and the documentation for Rails made it pretty clear that verify :method should be used for non-GET requests.
Anyways rails 2.3 had no csrf protection
You really need to check your facts. Rails has had protect_from_forgery since at least 2.2 and it was enabled by default in ApplicationController. Rails < 2.3.10 did not do the verification for AJAX requests, but this was changed in 2.3.11.
Appreciate your info! Really, I messed with facts - in 2011 it was made for AJAX :) You are right!
Ops FIX: you should call bad coder not me but people whom code I had been reading years ago.
And anyways burke is right:
>Supposed to be, but rarely was. Throw a bunch of new programmers at a framework, and insecure-by-default becomes insecure.
btw verify method: :post is nice to have but obviously uglier than current routes.rb DSL.
Rails 2.3 had "verify :method => :post" which was supposed to be used in controllers. This is nothing new.