This project is archived and is in readonly mode.

#5134 ✓invalid

Delete method in link_to causes InvalidAuthenticityToken error

Reported by wout | July 16th, 2010 @ 08:29 PM

On one of my apps I recently converted to rails 3 (to be in production next month) I get InvalidAuthenticityToken errors on link_to with :method => :delete. When the link_to is replaced by a button_to (so when a form is used instead) it works perfectly. I can reproduce it in all other apps as well.

Running Ruby EE 1.8.7, Rails 3 beta4 on Mongrel in osx 10.6.

Comments and changes to this ticket

  • nathaniel

    nathaniel August 9th, 2010 @ 03:26 AM

    just posting in here to note that I came across the same issue and also the same fix (using button_to instead of link_to).
    I'm currently running Rails3.0.0rc Ruby 1.9.2dev osx 10.6

  • Rohit Arondekar

    Rohit Arondekar August 9th, 2010 @ 11:49 AM

    • Importance changed from “” to “Low”

    Creating a scaffold in RC which has a link_to using the :method => delete option works fine. The code is —

      <%= link_to 'Destroy', post, :confirm => 'Are you sure?', :method => :delete %>

    The corresponding HTML generated is —

    <a rel="nofollow" data-method="delete" data-confirm="Are you sure?" href="/posts/2">Destroy</a>

    Anything else that needs to be done to reproduce this issue? Can you try it on a fresh app created using RC?

  • Andrius Chamentauskas

    Andrius Chamentauskas August 13th, 2010 @ 03:34 PM

    I can also confirm this bug. Futhermore it seems that if you put:

    <%= link_to 'Destroy', post, :confirm => 'Are you sure?', :method => :delete %>

    It generate additional hidden form, but if you use post_path(post) instead it does not generate it.

    The generated HTML seems to be correct, I think it's more a bug with javascript that handles these kind of links.

    This needs much higher priority...

  • plasko

    plasko August 19th, 2010 @ 10:32 PM

    This just happened on a new project that I started in the RC. I had to change it to button_to, though that's probably a little better anyway, since it doesn't rely on javascript to work.

  • Andrew White

    Andrew White August 19th, 2010 @ 11:43 PM

    • State changed from “new” to “invalid”

    I came across this the other day - you need to add <%= csrf_meta_tag %> to your layout file. The reason button_to works is that it creates an inline form which includes the hidden input auth token. The csrf_meta_tag helper adds a meta tag to the header which the rails.js code reads when it submits the form.

  • Rob Eastham

    Rob Eastham September 1st, 2010 @ 03:27 PM

    If <%= csrf_meta_tag %> alone does not seem to be helping then perhaps you have a conflict with jQuery. That's what it turned out to be for me. I wrote a bit more detail along with code required for a the solution on another related StackOverflow

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>