>> map.resource('model', 'models', path_prefix='/admin/{model_name}',
>> controller='admin', member={'confirm':'GET'})
>
> That's what I did, only I used:
>
> member={"ask_delete": "GET"}
>
> I think this should be added to Routes.You definitely got me right, Mike. > Delete confirmation is necessary in many interactive applications. >> >> We have such decorators for authentication/authorization purpose. Have >> anyone seen such for confirmation problem? > > Interactive users won't get to the delete action except through the > form. They can't enter it directly into the URL box because that > always produces a GET. Non-interactive agents are accustomed to > producing 'DELETE' requests directly, and wouldn't know what to do > with a form anyway. > That is correct when users are good. Unfortunately, there exist malicious ones, plus bots. > You can undoubtedly simulate a confirmation with a decorator, but just > adding a GET URL with a form seems more straightforward. > Confirmation by preliminary GET is _volunteer_. That is the problem I'm trying to outline. When confirmation is decorator, even authenticated user _has to_ interact. Consider this as a flavor of CAPTCHA. (BTW, who can share experience in pylons+captcha?). > > Or you can use Javascript to display a confirmation alert dialog. > That's a kind of "decorator". But it would be bypassed in non-visual > browsers or if Javascript is disabled. > Plus if someone want to bypass it express. > I don't understand Vlad's point: > >> Confirmation is a process that is not fully compatible with (pure) REST, > because requests must not be dependent of previous ones. > ... I think he meant here "(pure) REST must be stateless". >> ...But if you need one, think of it as a "Deletion resource". POST to > create a "deletion resource". The response is a form containing a nonce > token, ... > May be "Server-side has a separate queue for queries-for-deletion; to push such a query, a request should be made as POST <URI>/delete"? > But there's nothing wrong with adding additional GET URLs to resources. Of course. A thought has just come: I'd map GET <URI>/delete to "confirm delete?" and DELETE <URI> to "do delete". This IMHO looks quite reasonable for standard routes. > That's just asking the resource to > show a different "view" of itself. > Yes. And to follow DRY principle for confirmation I reuse "show" template prepended by "Want to delete this record?" and followed by <form> with delete method. -- Vladimir -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
