Do not use a Symfony Form to delete an article #427
Conversation
| ]); | ||
| } | ||
|
|
||
| /** | ||
| * Deletes a Post entity. | ||
| * | ||
| * @Route("/{id}", name="admin_post_delete") | ||
| * @Method("DELETE") | ||
| * @Method("POST") |
There was a problem hiding this comment.
@lyrixx, you could use _method field in the form instead of changing the required HTTP method to POST. http://symfony.com/doc/current/form/action_method.html
There was a problem hiding this comment.
I know, but I always found this totally useless ;)
There was a problem hiding this comment.
Why don't you like the DELETE method? Is because browsers don't support it and we must simulate it with the _method trick? Thanks!
| ]); | ||
| } | ||
|
|
||
| /** | ||
| * Deletes a Post entity. | ||
| * | ||
| * @Route("/{id}", name="admin_post_delete") | ||
| * @Method("DELETE") | ||
| * @Method("POST") |
There was a problem hiding this comment.
if you change it to POST (which is something I do all the time to avoid having to enable the HttpMethodOverride which is disabled by default), I suggest changing the URL to /{id}/delete though
There was a problem hiding this comment.
So you don't use the DELETE method either in your apps? Why don't you want to enable HttpMethodOverride? Security reasons? Performance reasons? Thanks!
There was a problem hiding this comment.
@stof good catch, I will change the URL
@javiereguiluz It just simulate a verb. But what does it bring? IMHO nothing except more code for no real value.
There was a problem hiding this comment.
@javiereguiluz enabling it make it easier to create CSRF attacks (well, not for this action as it has a CSRF token). This is why it is disabled by default in Symfony.
and it brings no value (the browser is not doing a DELETE request) and can become a nightmare when dealing with cache proxies (because it is a POST request, and you cannot add a Vary on this override to use the right cache.
| button_css: 'btn btn-lg btn-block btn-danger', | ||
| show_confirmation: true, | ||
| }, with_context = false) }} | ||
| {{ include('admin/blog/_delete_form.html.twig', { post: post}, with_context = false) }} |
There was a problem hiding this comment.
Missing space to end { post: post } or remove extra space to beginning {post: post} ? same in other files.
There was a problem hiding this comment.
Nice catch! The style we use adds a space before and after the braces, so it should be { post: post }
Because it simpler without a SF Form
| $form = $this->createDeleteForm($post); | ||
| $form->handleRequest($request); | ||
| if (!$this->isCsrfTokenValid('delete', $request->request->get('token'))) { | ||
| return $this->redirectToRoute('admin_post_index'); |
There was a problem hiding this comment.
The request could come from "edit page" or "show page", is right to redirect to index page? would be valid redirect to referer here?
In the other hand, could you add a flash messages (error) when this happens? Similar to:
The CSRF token is invalid. Please try to resubmit the form.
There was a problem hiding this comment.
Actually I keep the same behavior than before my changes...
|
@lyrixx thanks for simplifying this feature! |
This PR was merged into the master branch. Discussion ---------- Do not use a Symfony Form to delete an article Because it's simpler without a SF Form Commits ------- 9f8a40b Do not use a Symfony Form to delete an article
This PR was merged into the main branch. Discussion ---------- Disable HTTP method override We don't need this since the changes introduced in #427 and this goes in sync with the official Symfony recipe: symfony/recipes#892 Commits ------- 47eb3d9 Disable HTTP method override
Because it's simpler without a SF Form