Saturday, August 27th, 2005
Using Rails Ajax helpers to create safe state-changing links
Category: Articles, Examples
, Ruby
A few months ago there was a heated discussion going on about Google Web Accelerator prefetching links and at the same time wreaking havoc in web apps that used plain GET links to change the state of an application. A few tricks came up on how one could block GWA from accessing given pages, but in the end, using GET requests for operations such as deleting records in your app remained dangerous.
The traditional means to avoid the perils of GWA and friends are two-fold: either use only form buttons (and thus POST requests) to commit these mission-critical actions, or link to a confirmation page that does the same.
Unfortunately, these solutions are less than optimal.
Jarkko goes on to give an example of how you can take Rails’ link_to_remote magic to help out, even giving you graceful failback:
<%= link_to_remote "Delete",
{:url => {:controller => "monkey",
:action => "delete",
:id => monkey.id},
:update => "monkeys"},
{:href => url_for(:controller => "monkey",
:action => "delete",
:id => monkey.id)} %>
It would be nice to be able to <a href=”….” method=”POST”> of course.
Related Content:
Hmm.. What about applying rel=”nofollow” attribute to state changing links? Like so:
<a href=”http://www.anothersite.com?action=del&id=4″ rel=”nofollow”>Delete</a>