Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST actions #16

Open
jamesshannon opened this issue Apr 7, 2014 · 3 comments · May be fixed by #149
Open

POST actions #16

jamesshannon opened this issue Apr 7, 2014 · 3 comments · May be fixed by #149
Labels
question to do
Milestone
4.0

Comments

@jamesshannon
Copy link
Contributor

Have there been any thoughts about converting actions to POST requests rather than GET?

I found https://github.com/texastribune/django-object-actions/pull/2but it appears that's mostly on the serving side and not where the buttons are produced.

However, almost by definition an "action" should be initiated with a POST rather than a GET, both for semantics and security. Is there an easy way to do this? Any reasons not to?

James
@crccheck
Copy link
Owner

crccheck commented Apr 7, 2014

you can do a POST request if you want, you have to make your own template to do it though.

@jamesshannon
Copy link
Contributor Author

Would you be open to a PR to allow only posts (maybe per-action)?

Without that, we're leaving the door wide open to cross site request forgeries.

I'm not sure how to best go about doing this. In my experience trying to overload a list (ie, changing objectactions = ('one', 'two') to objectactions = (('one', ['POST', 'GET']), ('two',))) often causes problems.

Maybe we can set a property on the action method itself?

def action(self):
    pass

action.methods = ['POST', 'GET']

@crccheck
Copy link
Owner

crccheck commented Apr 9, 2014

The later is more of what I was thinking. I was also thinking of building in the boilerplate for handling permissions (right now you have to do it yourself, but it can get repetitive boilerplate).

@crccheck crccheck mentioned this issue Sep 3, 2014
Open
@Waitak Waitak mentioned this issue Feb 21, 2017
Open
@crccheck crccheck added the to do label Apr 10, 2018
@crccheck crccheck mentioned this issue Oct 12, 2020
Closed
@crccheck crccheck added this to the 4.0 milestone Dec 18, 2021
@crccheck crccheck pinned this issue Nov 18, 2022
@crccheck crccheck mentioned this issue Nov 18, 2022
Open
@crccheck crccheck linked a pull request Jan 3, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question to do
Projects
None yet
Milestone
4.0
Development

Successfully merging a pull request may close this issue.

feat!: invoke actions on POST only Skytek/django-object-actions
2 participants
@crccheck @jamesshannon