Reputation: 5131
What is the right way to create a Delete link in MVC3?
At first I was creating Delete links with just the Html.ActionLinkmethod. But then I ran across an article that said that that is wrong. And shouldn't be used that way. Then suggested the Master -> Detail way. But that seems silly. There should be a way for me to have a Delete link (with an "Are You Sure" prompt) and still not be a security hole. Right?
Upvotes: 0
Views: 1832
Answers (3)
Reputation: 93434
The issue has nothing to do with links or ActionLink or anything like that. The issue is that you shouldn't have action methods that Delete on an HttpGet requests.
As for why you shouldn't do this. Imagine that your boss has entered a reprimand into your online Employee profile. If you happen to know that this application deletes records with a Get request, then you need only create a specially crafted page in which an img tag contains the URL to delete your reprimand, then put it on the companies home page. Eventually, someone with access to delete these entries goes to the web page and poof.. You have a clear record.
That might not seem so bad. You just improved your standing. But imagine your co-worker is mad at you, and he knows of a similar trick that would allow him to trick your boss into lowering your salary.
Not so funny anymore.
It's insecure to allow these kinds of or actions because they can be triggered without a user even knowing what they're doing.
Upvotes: 1
Reputation: 4732
In the following article they describe a nice way of doing what you're looking for: Simple jQuery Delete Link For ASP.NET MVC.
But I think what you actually looking for as an alternative is this posting: ASP.NET MVC Delete ActionLink with confirm.
So you have two options and I hope it is of help to you.
Upvotes: 0
Reputation: 17288
Yes, use GET method to delete data is bad practice. You need to use POST method, it can be done, for example with form or jquery/javascript. But note that if you use simple link with attached promt, user can click center button and delete data or javascript could be disabled. Also it's a security problem also, someone could give link to you and you remove some data from server.
Example:
<a href="/controller/delete/1" onclick="$.post(this.href); return false;">Delete</a>
If the server gets a GET to /controller/delete/x then serve up a confirmation page with a POST form (on this form we put two buttons Yes and No, first button submit form with hidden fields). If the server gets a POST (or maybe a DELETE) request then do the deletion.
Upvotes: 1
Related Questions
- Setting the DELETE verb for @Ajax.ActionLink
- ASP.NET MVC Delete Action Link with confirm
- how to perform delete operation using link button or hyperlink or a href
- Useing a link to call a delete method in asp.net mvc
- MVC Delete Action Link Not Working
- ActionLink Delete Confirmation
- Using Delete Button instead of Html.ActionLink to call a action of controller?
- Change Delete ActionLink to button
- Delete Action not working MVC 3
- Using ActionLink and specifying the DELETE Constraint