On Wed, Jun 18, 2008 at 1:55 PM, JLIST <[EMAIL PROTECTED]> wrote: > > Sounds like web designer's fault. No permission check and no > confirmation for deletion? >
Nope ... application designer's fault for misusing the web. Allowing deletes on a GET violates HTTP/1.1 requirements (not just RESTful ones) that GET requests not have side effects, so an app that works that way is going to mess up when HTTP caching is in use ... as lots of people found to their chagrin when they installed Google Desktop's caching capabilities, and the cache played by the standard HTTP rules (GETs are supposed to be idempotent, having no side effects, so it's just fine to issue the same GET as many times as desired. If you want an easy way to do deletes from a browser, just set up a little form that does a POST and includes the id of the document you want to delete. Then you're playing by the rules, and won't make a fool of yourself when crawlers or caches interact with your application. Craig McClanahan >> Never, never delete with a GET. The Ultraseek spider deleted 20K >> docments on an intranet once because they gave it admin perms and >> it followed the "delete this page" link on every page. > > >
