* Jesse Sheidlower <jes...@panix.com> [2009-01-21 15:55]: > What I typically do is have two separate actions, a "delete" > and a "do_delete". The "delete" action merely displays the > record and has a form (link, whatever) asking "Are you sure?", > and then if they agree, you perform the "do_delete" that does > the business. > > You could also have a single delete action but with a "confirm" > parameter signalling that you're really deleting, etc. There > are lots of options. > > You can pair this with JS if you want.
Best approach for pairing with JS: Do the above, ie. if the user GETs the link, you send back a form with POST and OK/Cancel buttons which they can use to POST the delete request. *Then*, use inobtrusive JS to modify the links, so that they first pop up a confirm dialog then submit a hidden form if the user says OK. That way users who have Javascript get asked OK/Cancel with a popup and they send a POST immediately. And users who don’t have Javascript get asked OK/Cancel on a separate page. And deletion is safely shielded behind a POST action in both cases. (I should make a jQuery plugin out of this sometime…) First rule of web apps: merely following a link (or typing into the browser address bar and hitting Enter) should NEVER EVER result in a destructive action, no matter what URL the user typed. Remember that following links need not be intentional. Your browser follows far more links automatically without telling you than the number of links you ever actively click on: every image, every stylesheet, every script, every frame, every Flash object on every page you visit is downloaded automatically. Now consider what happens if a malicious user puts <img src="http://yourapp.example.org/addressbook/delete/all"> into a page they control and then send a link to that page to your users. If you allow destructive actions on GET, you have just allowed for your users to be screwed over through no fault of their own. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/