Rails views use GET requests to modify state
It is important to note that default views such as for a list action generated by Rails scaffolding breaks a cardinal rule of HTTP-based processing -- that a GET request shall not modify the state. Said differently, one should be able to issue the same GET request any number of times and get the same response.
If you look at the view generated for the list action, Rails uses a link_to tag on the RHTML page for the destroy action which results in a GET request being issued. This has repercussions that go beyond the pedantic finger-wagging sermon on violating "cardinal rules".
Consider a Rails application you have developed that includes the default view for listing Employees from the EMPLOYEES table. The view includes a link each to edit and delete a given row. Now if your web application URL is accessible by a web crawler, it will merrily crawl away your entire EMPLOYEES table!
And no -- using a JavaScript confirmation isn't a safeguard since the web-crawler is like a user with JavaScript disabled!
If you look at the view generated for the list action, Rails uses a link_to tag on the RHTML page for the destroy action which results in a GET request being issued. This has repercussions that go beyond the pedantic finger-wagging sermon on violating "cardinal rules".
Consider a Rails application you have developed that includes the default view for listing Employees from the EMPLOYEES table. The view includes a link each to edit and delete a given row. Now if your web application URL is accessible by a web crawler, it will merrily crawl away your entire EMPLOYEES table!
And no -- using a JavaScript confirmation isn't a safeguard since the web-crawler is like a user with JavaScript disabled!
posted by Sri Sankaran @ 9:18 AM
0 Comments:
Post a Comment
<< Home