#2490 HTTP Digest auth uses wrong request method for PUT, DELETE - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#2490 ✓resolved

HTTP Digest auth uses wrong request method for PUT, DELETE

Reported by Steve Madsen | April 14th, 2009 @ 07:46 PM | in 2.x

Browsers do not support the PUT or DELETE methods, so the _method parameter is used in forms to simulate these. The browser submits the form using POST.

The problem is that the MethodOverride class replaces REQUEST_METHOD in the environment with the intended one. When the browser builds the HTTP_AUTHORIZATION header for HTTP Digest authentication, it does so knowing it will submit using POST. Validation fails, however, because Rails is using PUT or DELETE instead.

HTTP Digest authentication should first check for the presence of rack.methodoverride.original_method in the environment and use that before using REQUEST_METHOD.

http_digest_authentication_test.patch 1.7 KB

Comments and changes to this ticket

Steve Madsen April 14th, 2009 @ 07:48 PM
- no changes were found...
- http_authentication.patch 867 Bytes
Pratik May 17th, 2009 @ 07:25 PM
- State changed from “new” to “incomplete”
Hey Steve,

The tests still fail even after applying the patch.
You flagged this item as spam.
Steve Madsen May 18th, 2009 @ 03:50 PM
Hi, Pratik. I just looked at this again, on branch origin/2-3-stable. Without my patch to http_authentication.rb, the new test case still fails for me and passes with the patch.

I'd like to get this applied. Would you give me a little more information about what is failing for you?
Pratik May 18th, 2009 @ 03:58 PM
Oops, sorry. I had commented a line from your test.
Repository May 18th, 2009 @ 04:05 PM
- State changed from “incomplete” to “resolved”
(from [dbb025827992331843566be418a6f86d89f41868]) Ensure HTTP Digest auth uses appropriate HTTP method [#2490 state:resolved] [Steve Madsen] http://github.com/rails/rails/commit/dbb025827992331843566be418a6f8...
Repository May 18th, 2009 @ 04:05 PM
(from [195fadbfd31294d43634afb7bbf4f0ffc86b470a]) Ensure HTTP Digest auth uses appropriate HTTP method [#2490 state:resolved] [Steve Madsen] http://github.com/rails/rails/commit/195fadbfd31294d43634afb7bbf4f0...