django-object-actions icon indicating copy to clipboard operation
django-object-actions copied to clipboard

Published 20 hours ago verified publisher icon crccheck

feat!: invoke actions on POST only

Open wlatanowicz opened this issue 3 years ago • 5 comments

closes #16

wlatanowicz avatar Nov 21 '22 08:11 wlatanowicz

I like the idea of restricting to POST only, in order to avoid XSS. Is there any reason not to use <input type="hidden" name="{{ k }}" value="{{ v }}" /> (and a classic submit button)?

pfouque avatar Nov 28 '22 06:11 pfouque

Is there any reason not to use <input type="hidden" name="{{ k }}" value="{{ v }}" /> (and a classic submit button)?

I decided to use <a> element as an action button, to avoid potentially complex changes to css styles.

wlatanowicz avatar Dec 26 '22 19:12 wlatanowicz

sorry for dragging my feet on this. I keep thinking I'll have time the next holiday to go over this, but real life keeps getting in the way. I like what I see so far; switching over to POST keeps things simple.

crccheck avatar Jan 03 '23 22:01 crccheck

@crccheck have you went over this PR? I'd really appreciate merging this in. Cheers!

SupraSummus avatar Oct 27 '23 13:10 SupraSummus

I think we need to phase in this feature more gradually. Like:

  1. Add a toggle to use POST instead of GET (default to GET). Perhaps make the options: GET, POST, and ONLY_POST
  2. Make a "breaking" change to the default from GET to POST

I've been meaning to do it for awhile but real life has gotten pretty busy

crccheck avatar Oct 27 '23 16:10 crccheck