开发者

Is there any harm in using a typical GET action for a PUT? (RESTfully speaking)

I have an action that do开发者_运维知识库esn't require a form. So it really only needs the one 'edit' method instead of the RESTful 'edit' --> 'update'. Is there any reason not to do this or a better way?

def edit
  #Do a POST(PUT)
end


The harm is that a user could easily navigate to that url and perform a potentially destructive action.

/noform/edit   #URL typed by user => Action Performed
/noform/update #URL typed by user => Error is thrown, No Action Performed

A normal browsing experience generates GET requests to the server. The assumption is, any page you can easily navigate to (or type into your address bar) will not perform any data changing functions.

A POST request, generated via a form submission or a AJAX request expects the result that data is changed on the server.

Similarly the two rails "faked" versions of PUT and DELETE also are not actions you could simply navigate to using a browser.

The solution

The solution is to have only the update action and where you originally would have linked to edit use something like the following:

button_to "Add new tracker", noform_path, :method => :put

If there is any type of error, you may still need an edit path to show the user so they can correct something. But from what you have described, a single update action should do the trick.


Gets should always be idempotent -- that is they should not perform any action that will alter the state of the application, database, etc.

Just as an aside -- in true RESTful form an edit would be performed by an HTTP Update action, but Rails simulates this with a post and a hidden value on the form, since browsers don't have HTTP Updates.

It's still not clear to me why you need an update without an input field. Perhaps a little more detail would be helpful.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜