django-object-actions icon indicating copy to clipboard operation
django-object-actions copied to clipboard

Published 20 hours ago verified publisher icon crccheck

POST actions

Open jamesshannon opened this issue 11 years ago • 4 comments

Have there been any thoughts about converting actions to POST requests rather than GET?

I found https://github.com/texastribune/django-object-actions/pull/2but it appears that's mostly on the serving side and not where the buttons are produced.

However, almost by definition an "action" should be initiated with a POST rather than a GET, both for semantics and security. Is there an easy way to do this? Any reasons not to?

James

jamesshannon avatar Apr 07 '14 07:04 jamesshannon

you can do a POST request if you want, you have to make your own template to do it though.

crccheck avatar Apr 07 '14 16:04 crccheck

Would you be open to a PR to allow only posts (maybe per-action)?

Without that, we're leaving the door wide open to cross site request forgeries.

I'm not sure how to best go about doing this. In my experience trying to overload a list (ie, changing objectactions = ('one', 'two') to objectactions = (('one', ['POST', 'GET']), ('two',))) often causes problems.

Maybe we can set a property on the action method itself?

def action(self):
    pass

action.methods = ['POST', 'GET']

jamesshannon avatar Apr 09 '14 18:04 jamesshannon

The later is more of what I was thinking. I was also thinking of building in the boilerplate for handling permissions (right now you have to do it yourself, but it can get repetitive boilerplate).

crccheck avatar Apr 09 '14 19:04 crccheck