开发者

What Is Wrong With Using GET To Remove Content?

I know it goes against the REST architecture but, from a pragmatic viewpoint, what is wrong about using GET request method to remove data from a database?

Let's say I built an application that has an administration panel. In administration panel admins can remove items by accessing URIs like these:

/admin-panel/items-controller/remove-action/id/X

Where X is a primary key of an item to be deleted.

Are there any practical disadvantages to using this approach? Please educate me because I don't understand why POST should be used for this.

My main problem with using POST for removing开发者_如何学编程 data is that instead of a simple link (easy to style in CSS) you have to print a form with POST method next to each item and then style it to look like a button/link. Or am I completely misunderstanding?


Three words: search engine spiders.

Or Browser plugins that prefetch links to speed up browsing. All kinds of software implicitly assumes that a GET request can be made freely without negative effects. It's not just REST, the HTTP standard itself (RFC 2616) says so:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.


Example: you are logged in your admin panel with full privileges (able to delete). I'm a user with restricted privilege but with a knowledge about your architecture. So I can easily give you a link to some "trusted" page where I can put

<img src="/admin-panel/items-controller/remove-action/id/X" width="1" height="1">

You load the page, item is deleted because image request is sent from your admin account.


It's very easy, through history or bookmarks, to re-enter a GET request without realizing it. If the GET is destructive this can lead to unintentional data loss. You might be safe if your keys aren't repeated, i.e., the action might just fail, but why put your application and data at risk. Destructive actions should always use either POST or DELETE, preferably the latter -- although that usually requires that it be done via AJAX so you often end up supporting both.

Typically what I do is set up the form with button, as you note, but then I'll remove the button and replace it with a link and click handler to invoke the form submission via javascript. The delete is usually done via AJAX with the DELETE verb with the page contents being updated in the callback. This way the delete action works both on browsers with and without javascript enabled, but has enhanced functionality and styling when javascript is enabled (95%+ of the time).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜