This project is archived and is in readonly mode.

#2490 ✓resolved
Steve Madsen

HTTP Digest auth uses wrong request method for PUT, DELETE

Reported by Steve Madsen | April 14th, 2009 @ 07:46 PM | in 2.x

Browsers do not support the PUT or DELETE methods, so the _method parameter is used in forms to simulate these. The browser submits the form using POST.

The problem is that the MethodOverride class replaces REQUEST_METHOD in the environment with the intended one. When the browser builds the HTTP_AUTHORIZATION header for HTTP Digest authentication, it does so knowing it will submit using POST. Validation fails, however, because Rails is using PUT or DELETE instead.

HTTP Digest authentication should first check for the presence of rack.methodoverride.original_method in the environment and use that before using REQUEST_METHOD.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Referenced by

Pages