Any Security Constraints to turbo_method: 'post' functionality?

[jonmchan]

I'm migrating from UJS to turbo, changing links from link_to "Activate Product", '/product/33/activate', method: 'post' to link_to "Activate Product", '/product/33/activate', { data: {turbo_method: 'post'}}. The link is from a page served from /admin/products/33. The turbo code will not honor the POST method unless I change the url to be from a similar parent location (/admin/products/33/activate works). Does turbo have any security constraints that prevents you from turning any link into a POST? Are others having this issue? Is this documented? Or am I the only one experiencing this?

[p8]

You probably want to use button_to instead when doing a POST, PUT, DELETE. This makes sure it works without javascript and adds the autheticity_token to the form: https://edgeapi.rubyonrails.org/classes/ActionView/Helpers/UrlHelper.html#method-i-button_to