This article (http://homakov.blogspot.com/2012/04/whitelist-your- routes-match-is-evil.html) explains why an overly liberal specification of the HTTP verbs that a URL accepts can lead to CSRF security exploits. He also submitted a patch removing the "match ':controller(/:action(/:id))" from appearing in the default routes.rb
However, this idiom is constantly used in the Non-Resourceful routing section of the routing guide (http://guides.rubyonrails.org/ routing.html). Agreed that the routing is non-resourceful, so it does not have to adhere to the same standards, but nonetheless, any routing that changes server-side data without an authenticity token is insecure. I feel there should be a warning and a discussion of the issue in the routing guide.
