Strange bug fixed

[scambra]

All requests should be get, it was failing due to forgering protection when a post request use render_component

For example using render :active_scaffold in the layout, when a post request fails due to validation errors, render_component fails due to forgery protection, clears your session, and it will logout you for example.

[vhochstein]

But does nt that change the request completely, I mean a post is nt a get?

[scambra]

I will explain in more detail: I have a layout with render :activescaffold => :controller, :params => {:action => :new} to show a quick form to create a model. To render a new action the request must be a GET.

In a get request, index for example, it works right. But in a post request, when it renders the layout, render_component tries to render the new action as a post request, then it tries to check forgery protection and it fails.

[mathieujobin]

I think this make sense...
it's not a real request, the server does not get called, like with JS:remote:true (I think)
instead, it is just calling the code in ruby process.
So if the HTTP_METHOD must be hard-coded to GET

I don't see a problem.

Except that I don't think I needed to make this change, would it be possible to write a test to reproduce the problem?