I've got a fairly common scenario, but I can't quite figure it  out.

My app deals with an individual subscriber.  Subscribers can have a list of contact addresses, and also, separately, a list of another property.  So on the  subscriber page, I have two different fieldsets, each with a list, and a "Create New" button. The Contacts are maintained by the Contacts controller, and the other property is maintained by a different controller.

The list of contacts is displayed using a standard foreach loop with a table/tr/td hierarchy.  I want the capability for each contact in the list, to be able to delete it, so  I have a Delete action in my ContactsController, and  create an ActionLink in the rightmost cellof each row:

<%= Html.ActionLink("Delete", "Delete", "Contacts", new {id= contact.Id}, null) %>

Which works, EXCEPT that, I read once, and understand, it's NOT a good idea to have a Delete action reachable by an HTTP GET request, since any arbitrary person (or robot) can go in and delete anything they want.

I tried to implement it using an Ajax.ActionLink with an AjaxOptions object with the HttpMethod set to  Delete, as described in the ASP.NET MVC Tuturial   But my Delete method in Contacts is returning a RedirectToAction result back to the Subscribers/Index action.  Since Ajax is trying to do a partial  update, it appears to ignore the redirect to action (which reconstitutes the now-modified contact list), and appears to simply re-display the original page, including the deleted contact.  So I  really would  like to  do  the equivalent of that tutorial (including the Confirmaton alert) without using Ajax.  In other words, do an ActionLink, but provide some parameter to make it use at least a POST, and preferably a DELETE HTTP method.  But I can't find anything that  will let me do that.  (BTW, I can't just return the PartialView as was done in the tutorial because the delete method is in the ContactsController, and  view that I need to go back to is in the SubscribersController. PartialView will accept a view name, but not a controller name.)

I appreciate any insights. Thanks.

http://www.asp.net/learn/mvc/tutorial-17-cs.aspx
http://www.asp.net/learn/mvc/tutorial-17-vb.aspx

Authenticating Users with Forms Authentication

You need to manage your users and their roles.

If certain users are not allowed to delete,
you could have a second application for
deletion purpose.

or you could have two logins for key staff,
one for every day use and the second with
admin priveleges, e.g.:  Jane and JaneAdmin.

Also, I suggest you watch the video by
Phil Haack's video:  http://videos.visitmix.com/MIX09/T44F,
               "Ninja on Fire Black Belt Tips"

Watch the entire video, it's worth your time.

Phil discusses security and other worthwhile topics.

In addition to [Authorize] as discussed in the written tutorial,
AFAIK you can make your delete into a form and force POST
with [AcceptVerbs(HttpVerbs.Post)].  I have not tried this
although I think it will work.  If you do not want a Delete
button, you can change its appearance AFAIK via css.

TIMTOWTDI =. there is more than one way to do it.

Regards,
Gerry (Lowry)

Gerry,

Thanks for taking the time to respond, but you're not really answering the  question that I'm asking. Let me simplify it and rephrase it:

Is there a way to get an ActionLink to go to a new controller/action via a POST call instead of a GET?

No, I don't think there is I'm afraid.

I think you have two options really without using Ajax.

One is to use an ActionLink to get to a confirmation page, that has a form that POSTs to your controller action.

The other way is to use a form on the original page.  You probably have a list of records each with a delete link, and you need to wrap each of them in a seperate form tag for this to work.  That seemed couterintuitive to me coming from a web forms background where you can only have one from per page - but it works just fine.

Dave - Maybe you can address this by changing the design so that the action link goes to a "are you sure you want to delete?" page (as an http GET which is fine in this case since it's not changing data). Then on that page you would do a form post that calls the delete action method with an http post.

The other option would be to include a hidden form  with hidden fields on the page and have the link fire off some javascript that basically populates values into the hidden fields and submits the form.

Have a look at these articles and see if they help:

http://haacked.com/archive/2009/01/30/simple-jquery-delete-link-for-asp.net-mvc.aspx

http://stephenwalther.com/blog/archive/2009/01/21/asp.net-mvc-tip-46-ndash-donrsquot-use-delete-links-because.aspx

it looks like you need tricks ...

basically POST is something that happens via a FORM SUBMIT ...

I would not risk JavaScript tricks because JavaScript is not guaranteed to be availble.

However:  see http://stackoverflow.com/questions/688722/does-html-actionlink-post-the-form-data for an interesting idea.

Personally, I think I would stick with the original idea I expressed ... with hidden fields you can force POST as an alternative to using ActionLink ... the idea is to use multiple submit buttons ... here's an Edit example you could adapt to your Delete:

(without JavaScript)
on your .aspx page, add a second button:
     <input type="submit"    value="First"        name="submitButton"/>
     <input type="submit"    value="Second"   name="submitButton"/>
in your Controller:
    // POST: /Home/Edit/5
    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult Edit(Movie movieToEdit, string submitButton)
    {
        if (submitButton == "First")       et cetera

For submitButton == "First" you would have an equivalent hidden field that holds the Primary Key for the row that you wish to delete; et cetera.  I think this would work but I am pressed for time and have not thought it through to completion.

Regards,
Gerry (Lowry)

CodeHobo:

Dave - Maybe you can address this by changing the design so that the action link goes to a "are you sure you want to delete?" page (as an http GET which is fine in this case since it's not changing data). Then on that page you would do a form post that calls the delete action method with an http post.

The other option would be to include a hidden form  with hidden fields on the page and have the link fire off some javascript that basically populates values into the hidden fields and submits the form.

Why not do both? Have the link point off to a confirmation page that's only used when Javascript is disabled, and then a bit of onclick handling which posts a form to the same place the confirmation page would've posted to? Then you get 95% of your users having a clickable link which deletes directly, you're safe w/ idempotency (and spiders and pull-ahead browsers), and most of your users get a nice clean link-oriented UI.

Don't forget when using Javascript to also do a prompt before deleting (or, better, offer an undo option like applications like Gmail do).