Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have an action that doesn’t require a form. So it really only needs the one ‘edit’ method instead of the RESTful ‘edit’ –> ‘update’. Is there any reason not to do this or a better way?
def edit
#Do a POST(PUT)
end
The harm is that a user could easily navigate to that url and perform a potentially destructive action.
A normal browsing experience generates
GETrequests to the server. The assumption is, any page you can easily navigate to (or type into your address bar) will not perform any data changing functions.A
POSTrequest, generated via a form submission or a AJAX request expects the result that data is changed on the server.Similarly the two rails “faked” versions of
PUTandDELETEalso are not actions you could simply navigate to using a browser.The solution
The solution is to have only the
updateaction and where you originally would have linked toedituse something like the following:If there is any type of error, you may still need an edit path to show the user so they can correct something. But from what you have described, a single
updateaction should do the trick.