I'm sorta new to this stuff, so I was wondering if anyone was familliar with a write up of POST vs. GET and how to use it with Rails? I haven't had much exprience with it, so if it's as simple as addng a line of code or something, please forgive my stupidity.
Thanks in advance
[EDIT:]I fouled up. Sorry if you get this twice.
Thanks... My main concern is users using the URL to delete data and whatnot, I want to "defend" against that.... and it just kinda hit me that by typing in a URL I could delete a user, and I went "oh oh"... I'm assuming it's a pretty common problem that isnt' even a "problem" anymore, I just haven't thought of it till now. I'll watch the keynote.
Alder Green wrote:
most of the HTTP protocol is transparent for you as a Rails developer.
2) The way GET and POST (and PUT, and DELETE) are to be used in Rails: see DHH RailsConf keynote[2]. This one is much more relevant.
For archival purposes, I wanted to include the link to the keynote, you
left it out, I googled it.... I mean I searched for it on Google (
sorry Google 
)
link to keynote videos of RalsConf: http://blog.scribestudio.com/pages/rails/
sw0rdfish wrote:
Thanks... My main concern is users using the URL to delete data and whatnot, I want to "defend" against that.... and it just kinda hit me that by typing in a URL I could delete a user, and I went "oh oh"... I'm assuming it's a pretty common problem that isnt' even a "problem" anymore, I just haven't thought of it till now. I'll watch the keynote.
You could use this to check if it was a post request that called your delete function:
if request.post? .... then delete .. end
If the user just types in the URL, it will create a GET request so the above condition will fail. Cheers Mohit.
If you use RESTful plugin, you won't have to bother with post/get/request.post?
-Pratik
> Thanks... My main concern is users using the URL to delete data and > whatnot, I want to "defend" against that.... and it just kinda hit me > that by typing in a URL I could delete a user, and I went "oh oh"...
Having a URI to delete users is very Railish (it fits the CRUD/REST model very well.
So you can have a typical URI like:
example.com/users/delete/23
To delete User instance with ID 23.
However, the fact that there is such URI says nothing about the permissions required to actually execute the deletion. It means the client ASKS to delete User #23. Whether it would be DONE is an entirely different issue.
There is a further problem with allowing GET requests to invoke actions such
as delete: such links may be followed web spiders, or client-side preloading
cache utilities. POST requests will not be invoked by such automatic tools.
The general rule is not to use GETs for anything that would cause a change of
state on the server. Merely checking whether a client has permission to
delete a User will not prevent problems with client-side tools that pre-load
links that they find on a page.
A good explanation about this could be founded on Agile Web Development with Rails, pg. 335 in a section (16.9) called "The problem with get requests"...
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks