Doubts about get method and passing parameters

StackOverflow https://stackoverflow.com/questions/20452361

  •  30-08-2022
  •  | 
  •  

Question

In the routes.rb file

get 'commands/deleteuser/' => 'commands#delete_user', as: :delete_user

In the view

<%= link_to "Delete", delete_user_path(:user_id => user.id, :command_id => @command.id), data: { confirm: "Are you sure?" } %>

In this way I can call from the action (and it works)

user = User.find(params[:user_id])

My question is: is it right to get in this way? I mean the get method shows all the attribute in the url but in the way I used they are all hidden. So is it right to use a get method? Second where are they stored if in the url they are not visible?

Where are the params stored in this case if I don't see then in the url?

routes.rb

FwLab::Application.routes.draw do
  get 'commands/deleteuser/'            => 'commands#delete_user',          as: :delete_user
  patch 'users/:id/changeadmin'         => 'users#changeadmin',             as: :changeadmin
  post 'commands/execute'               => 'commands#execute',              as: :execute
  get 'commands/:id/userslist'          => 'commands#users_list',           as: :list
  get 'commands/:id/adduserindex'       => 'commands#add_user_index',       as: :add_user_index
  post 'commands/adduser'               => 'commands#user_add',             as: :user_add

  resources :users,    only: [:create, :edit, :update, :index, :destroy]
  resources :sessions, only: [:new, :create, :destroy]
  resources :commands, only: [:index, :new, :create, :edit, :update, :destroy]



  root 'sessions#new'
  match '/about',   to: 'static_pages#about',   via: 'get'
  match '/help',    to: 'static_pages#help',    via: 'get'
  match '/signup',  to: 'users#new',            via: 'get'
  match '/signout', to: 'sessions#destroy',     via: 'delete'
  match '/home',    to: 'commands#index',       via: 'get'
end
Was it helpful?

Solution

Actions / links that change something, especially destructive ones, should not be made available through GET. This is dangerous, because for example search engines that crawl your website could follow such a link and accidentally delete a user.

In this case, you should use HTTP DELETE. To do so,

  • change your route to

    delete 'commands/deleteuser' => 'commands#delete_user', as: :delete_user

  • in your link helper, add the method attribute

    <%= link_to "Delete", delete_user_path(:user_id => user.id, :command_id => @command.id), method: :delete, data: { confirm: "Are you sure?" } %>

There are two ways parameters can be passed from browser to server with a request:

  1. as query string parameters, that is, as part of the URL, e.g. example.com?param=value
  2. as part of the request body

Your browser transmits a lot of data to the server with each interaction (clicking a link, submitting a form etc.) that is usually invisible to you. Take a look at the developer tools built into your browser to make them visible. Here is a screenshot from Chromes developer tools:

Screenshot from Chromes developer tools

This is a POST request, something you usually see for example when submitting a form. The data that would be appended to the URL in a GET request is visible here under "Form Data".

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top