[Catalyst] Re: how to confirm before deleteing

Aristotle Pagaltzis pagaltzis at gmx.de
Thu Jan 22 05:28:45 GMT 2009 

* Jesse Sheidlower <jester at panix.com> [2009-01-21 15:55]:
> What I typically do is have two separate actions, a "delete"
> and a "do_delete". The "delete" action merely displays the
> record and has a form (link, whatever) asking "Are you sure?",
> and then if they agree, you perform the "do_delete" that does
> the business.
>
> You could also have a single delete action but with a "confirm"
> parameter signalling that you're really deleting, etc. There
> are lots of options.
>
> You can pair this with JS if you want.

Best approach for pairing with JS:

Do the above, ie. if the user GETs the link, you send back a form
with POST and OK/Cancel buttons which they can use to POST the
delete request. *Then*, use inobtrusive JS to modify the links,
so that they first pop up a confirm dialog then submit a hidden
form if the user says OK.

That way users who have Javascript get asked OK/Cancel with a
popup and they send a POST immediately. And users who don’t have
Javascript get asked OK/Cancel on a separate page. And deletion
is safely shielded behind a POST action in both cases.

(I should make a jQuery plugin out of this sometime…)

First rule of web apps: merely following a link (or typing into
the browser address bar and hitting Enter) should NEVER EVER
result in a destructive action, no matter what URL the user
typed.

Remember that following links need not be intentional. Your
browser follows far more links automatically without telling you
than the number of links you ever actively click on: every image,
every stylesheet, every script, every frame, every Flash object
on every page you visit is downloaded automatically. Now consider
what happens if a malicious user puts

    <img src="http://yourapp.example.org/addressbook/delete/all">

into a page they control and then send a link to that page to
your users. If you allow destructive actions on GET, you have
just allowed for your users to be screwed over through no fault
of their own.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list