#5134 Delete method in link_to causes InvalidAuthenticityToken error - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#5134 ✓invalid

Delete method in link_to causes InvalidAuthenticityToken error

Reported by wout | July 16th, 2010 @ 08:29 PM

On one of my apps I recently converted to rails 3 (to be in production next month) I get InvalidAuthenticityToken errors on link_to with :method => :delete. When the link_to is replaced by a button_to (so when a form is used instead) it works perfectly. I can reproduce it in all other apps as well.

Running Ruby EE 1.8.7, Rails 3 beta4 on Mongrel in osx 10.6.

Comments and changes to this ticket

You flagged this item as spam.
nathaniel August 9th, 2010 @ 03:26 AM
just posting in here to note that I came across the same issue and also the same fix (using button_to instead of link_to).
I'm currently running Rails3.0.0rc Ruby 1.9.2dev osx 10.6
Rohit Arondekar August 9th, 2010 @ 11:49 AM
- Importance changed from “” to “Low”
Creating a scaffold in RC which has a link_to using the :method => delete option works fine. The code is —
```
  <%= link_to 'Destroy', post, :confirm => 'Are you sure?', :method => :delete %>
```
The corresponding HTML generated is —
```
<a rel="nofollow" data-method="delete" data-confirm="Are you sure?" href="/posts/2">Destroy</a>
```
Anything else that needs to be done to reproduce this issue? Can you try it on a fresh app created using RC?
You flagged this item as spam.
Andrius Chamentauskas August 13th, 2010 @ 03:34 PM
I can also confirm this bug. Futhermore it seems that if you put:

<%= link_to 'Destroy', post, :confirm => 'Are you sure?', :method => :delete %>

It generate additional hidden form, but if you use post_path(post) instead it does not generate it.

The generated HTML seems to be correct, I think it's more a bug with javascript that handles these kind of links.

This needs much higher priority...
You flagged this item as spam.
plasko August 19th, 2010 @ 10:32 PM
This just happened on a new project that I started in the RC. I had to change it to button_to, though that's probably a little better anyway, since it doesn't rely on javascript to work.
Andrew White August 19th, 2010 @ 11:43 PM
- State changed from “new” to “invalid”
I came across this the other day - you need to add <%= csrf_meta_tag %> to your layout file. The reason button_to works is that it creates an inline form which includes the hidden input auth token. The csrf_meta_tag helper adds a meta tag to the header which the rails.js code reads when it submits the form.
You flagged this item as spam.
Rob Eastham September 1st, 2010 @ 03:27 PM
If <%= csrf_meta_tag %> alone does not seem to be helping then perhaps you have a conflict with jQuery. That's what it turned out to be for me. I wrote a bit more detail along with code required for a the solution on another related StackOverflow