I have an action that doesn't require a form. So it really only needs the one 'edit' method instead of the RESTful 'edit' --> 'update'. Is there any reason not to do this or a better way?
def edit
#Do a POST(PUT)
end
views:
66answers:
2
+2
A:
The harm is that a user could easily navigate to that url and perform a potentially destructive action.
/noform/edit #URL typed by user => Action Performed
/noform/update #URL typed by user => Error is thrown, No Action Performed
A normal browsing experience generates GET requests to the server. The assumption is, any page you can easily navigate to (or type into your address bar) will not perform any data changing functions.
A POST request, generated via a form submission or a AJAX request expects the result that data is changed on the server.
Similarly the two rails "faked" versions of PUT and DELETE also are not actions you could simply navigate to using a browser.
The solution
The solution is to have only the update action and where you originally would have linked to edit use something like the following:
button_to "Add new tracker", noform_path, :method => :put
If there is any type of error, you may still need an edit path to show the user so they can correct something. But from what you have described, a single update action should do the trick.
Doug Neiner
2010-01-31 00:57:39
So whats the solution? Should I provide a form that is basically just an empty form or a button_to?I don't really want the user to see another screen and click another button.
Cameron
2010-01-31 01:00:04
The GET for a POST problem is aggravated by search engine spiders, which will perform GETs on every page of your website, systematically performing unwanted edits and deletes.
Robert Harvey
2010-01-31 01:05:12
@Cameron I updated my answer. Let me know if it is unclear.
Doug Neiner
2010-01-31 01:09:29
@Robert Harvey As @Dave Sims pointed out, GET is not supposed to have side effects by spec, I'd blame the bad websites, not the spiders.
eed3si9n
2010-01-31 01:16:52
@eed3si9n: Of course. It's an argument for building your website properly.
Robert Harvey
2010-01-31 19:17:45
+2
A:
Gets should always be idempotent -- that is they should not perform any action that will alter the state of the application, database, etc.
Just as an aside -- in true RESTful form an edit would be performed by an HTTP Update action, but Rails simulates this with a post and a hidden value on the form, since browsers don't have HTTP Updates.
It's still not clear to me why you need an update without an input field. Perhaps a little more detail would be helpful.
Dave Sims
2010-01-31 01:12:52