Home > Software design >  Is there a real problem with using i.e. get method instead of put in an action through clicking on a
Is there a real problem with using i.e. get method instead of put in an action through clicking on a

Time:11-13

For example I have button for thumbs up or I want to resend a specific mail or I change a specific enum state through clicking on a button (like published/unpublished)

Now regarding the rails implementation, I can make it work using either put, get or patch, since I only have to send a specific id.

In my opinion it seems to be best practice using patch, post or put wheter one or several attributes will change on my objects. So this seems mainly to be a convention here.

On the server side I will have to add some policies to allow only specific users to do so, but beyond adding policies are there any possible issues with not using the conventional http-method here?

CodePudding user response:

One very real problem with using GET is that is supposed to be an idempotent method. Lets say the new guy creates the form:

get '/things/create', to: "things#create"
<%= form_with(model: @post, url: '/posts/create', method: :get) do |f| %>
  <div class="field">
    <%= f.label :name %>
    <%= f.text_field :name %>
  </div>
  <%= f.submit %>
<% end %>
class PostsController < ApplicationController
  def index
    @posts = Post.all
  end

  def create
    @post = Post.new(title: params[:post][:title])
    @post.save
    redirect_to action: :index
  end
end

He then tries it out in the browser in and is perfectly happy with it. Mission accomplished.

His boss then attempts to test it. He creates a Post titled "This new guy might not be so bad anyways". And then he hits the back button to try creating another Post. Weirdly it just loops back to the index page. He tries it again - the only thing that happens is that the page starts to fill up with "This new guy might not be so bad anyways" and he is becomes less and less convinced that its actually true.

If you used POST, PATCH, PUT or DELETE the browser would have warned him that he is about to resend a form. Thats why GET should never change anything on the server (besides maybe your pageview stats).

It also opens up for any malicous actor to get users to create, delete or modify resources simply by fooling them into clicking a link. The malicous actor doesn't even have to got though the effort of creating a phishing site and circumventing the anti-CSRF protection that Rails provides.

There is absolutely no difference between how POST, PATCH, PUT or DELETE are treated by the client or server beyond the conventions of Rails.

But since Rails is a highly convention driven framework which adheres to a specific flavor of REST it really befits you to follow those conventions if you want to be productive and not be that new guy.

When it comes to actions beyond the classical CRUD verbs its really down to your best judgement and intent is really what matters. What does the action do? Is it updating something (PATCH)? Is it actually a separate resource? (POST /mails/1/mailouts). As you may see there is no easy answer. Just be clear and document what you're doing if you're unsure.

  • Related