On 05/03/2016 03:13 PM, Søren Løvborg wrote:
Considering that method overrides are designed specifically to accommodate HTML forms, we could pull the CSRF token out of the POST request body and stuff it into a header as part of the override process. But at that point, it just feels like we're digging ourselves in even deeper. A saner approach would be to phase out method overrides altogether, and just let POST requests be POST requests. (Add an "action" argument or similar as needed, but leave that to the controller, and keep it out of routing and security checks.)
It seems like that would be a general refactoring and code improvement that could be done on the default branch and pave the way for the TG migration?
I think it would be nice to have more of those ... or to use the modularity of TG to migrate to TG module by module - for example perhapsly by switching from paster to to gearbox or by changing the routing mechanism or adding a new State of the TG Art RESTish web services API.
/Mads _______________________________________________ kallithea-general mailing list [email protected] http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
