> Thanks... My main concern is users using the URL to delete data and
> whatnot, I want to "defend" against that.... and it just kinda hit me
> that by typing in a URL I could delete a user, and I went "oh oh"...
Having a URI to delete users is very Railish (it fits the CRUD/REST
model very well.
So you can have a typical URI like:
To delete User instance with ID 23.
However, the fact that there is such URI says nothing about the
permissions required to actually execute the deletion. It means the
client ASKS to delete User #23. Whether it would be DONE is an entirely
There is a further problem with allowing GET requests to invoke actions such
as delete: such links may be followed web spiders, or client-side preloading
cache utilities. POST requests will not be invoked by such automatic tools.
The general rule is not to use GETs for anything that would cause a change of
state on the server. Merely checking whether a client has permission to
delete a User will not prevent problems with client-side tools that pre-load
links that they find on a page.