Is the user who caused the problem friendly or malicious?
If (s)he is (or could be) malicious, then perhaps (s)he didn't use a
browser to create three records in your database, but instead wrote
some code to post three times in quick succession.
I just added a "sleep 5" to my #create method and tried using the
"curl" utility to replicate your problem:
curl -d"traveler[name]=z" http://localhost:3000/travelers
...but that failed because I didn't set the authenticity token
properly. I tried a few different things to figure out how to set it
properly, but ultimately gave up and just commented out the
#protect_from_forgery call in my application controller.
Sure enough, I was able to fire off 3 of these curl commands in quick
succession and create 3 new records.
If I were of a much more malicious bent, I could probably figure out
how to spoof the authenticity token. At this point, I was just trying
to figure out an answer to "how could this happen?".
If your user isn't malicious and isn't using some sort of automated
HTTP screen scraping/updating utility, then I've just wasted your time
making you read this.