I've got a fairly common scenario, but I can't quite figure it out.
My app deals with an individual subscriber. Subscribers can have a list of contact addresses, and also, separately, a list of another property. So on the subscriber page, I have two different fieldsets, each with a list, and a "Create New" button. The
Contacts are maintained by the Contacts controller, and the other property is maintained by a different controller.
The list of contacts is displayed using a standard foreach loop with a table/tr/td hierarchy. I want the capability for each contact in the list, to be able to delete it, so I have a Delete action in my ContactsController, and create an ActionLink in
the rightmost cellof each row:
<%= Html.ActionLink("Delete", "Delete", "Contacts", new {id= contact.Id}, null) %>
Which works, EXCEPT that, I read once, and understand, it's NOT a good idea to have a Delete action reachable by an HTTP GET request, since any arbitrary person (or robot) can go in and delete anything they want.
I tried to implement it using an Ajax.ActionLink with an AjaxOptions object with the HttpMethod set to Delete, as described in the
ASP.NET MVC Tuturial But my Delete method in Contacts is returning a RedirectToAction result back to the Subscribers/Index action. Since Ajax is trying to do a partial update, it appears to
ignore the redirect to action (which reconstitutes the now-modified contact list), and appears to simply re-display the original page, including the deleted contact. So I really would like to do the equivalent of that tutorial (including the Confirmaton
alert) without using Ajax. In other words, do an ActionLink, but provide some parameter to make it use at least a POST, and preferably a DELETE HTTP method. But I can't find anything that will let me do that. (BTW, I can't just return the PartialView as
was done in the tutorial because the delete method is in the ContactsController, and view that I need to go back to is in the SubscribersController. PartialView will accept a view name, but not a controller name.)
Phil discusses security and other worthwhile topics.
In addition to [Authorize] as discussed in the written tutorial,
AFAIK you can make your delete into a form and force POST
with [AcceptVerbs(HttpVerbs.Post)]. I have not tried this
although I think it will work. If you do not want a Delete
button, you can change its appearance AFAIK via css.
TIMTOWTDI =. there is more than one way to do it.
Regards,
Gerry (Lowry)
B-) Please help me by completing my school survey about computer programmers on my website. Thank you!!! Gerry Lowry +1 705-429-7550 wasaga beach, ontario, canada
I think you have two options really without using Ajax.
One is to use an ActionLink to get to a confirmation page, that has a form that POSTs to your controller action.
The other way is to use a form on the original page. You probably have a list of records each with a delete link, and you need to wrap each of them in a seperate form tag for this to work. That seemed couterintuitive to me coming from a web forms background
where you can only have one from per page - but it works just fine.
Dave - Maybe you can address this by changing the design so that the action link goes to a "are you sure you want to delete?" page (as an http GET which is fine in this case since it's not changing data). Then on that page you would do a form post that calls
the delete action method with an http post.
The other option would be to include a hidden form with hidden fields on the page and have the link fire off some javascript that basically populates values into the hidden fields and submits the form.
Personally, I think I would stick with the original idea I expressed ... with hidden fields you can force POST as an alternative to using ActionLink ... the idea is to use multiple submit buttons ... here's an Edit example you could adapt to your Delete:
(without JavaScript)
on your .aspx page, add a second button:
<input type="submit" value="First"
name="submitButton"/>
<input type="submit"
value="Second" name="submitButton"/> in your Controller: // POST: /Home/Edit/5 [AcceptVerbs(HttpVerbs.Post)] publicActionResult Edit(Movie
movieToEdit, stringsubmitButton)
{
if (submitButton == "First")
et cetera
For submitButton == "First" you would have an equivalent hidden field that
holds the Primary Key for the row that you wish to delete; et cetera. I think this would work but I am pressed for time and have not thought it through to completion.
Regards,
Gerry (Lowry)
B-) Please help me by completing my school survey about computer programmers on my website. Thank you!!! Gerry Lowry +1 705-429-7550 wasaga beach, ontario, canada
Dave - Maybe you can address this by changing the design so that the action link goes to a "are you sure you want to delete?" page (as an http GET which is fine in this case since it's not changing data). Then on that page you would do a form post that calls
the delete action method with an http post.
The other option would be to include a hidden form with hidden fields on the page and have the link fire off some javascript that basically populates values into the hidden fields and submits the form.
Why not do both? Have the link point off to a confirmation page that's only used when Javascript is disabled, and then a bit of onclick handling which posts a form to the same place the confirmation page would've posted to? Then you get 95% of your users
having a clickable link which deletes directly, you're safe w/ idempotency (and spiders and pull-ahead browsers), and most of your users get a nice clean link-oriented UI.
Don't forget when using Javascript to also do a prompt before deleting (or, better, offer an undo option like applications like Gmail do).
Marked as answer by ricka6 on Nov 05, 2009 06:09 PM
daveh551
Member
74 Points
89 Posts
Delete Record from an ActionLink
Nov 04, 2009 07:18 PM|LINK
I've got a fairly common scenario, but I can't quite figure it out.
My app deals with an individual subscriber. Subscribers can have a list of contact addresses, and also, separately, a list of another property. So on the subscriber page, I have two different fieldsets, each with a list, and a "Create New" button. The Contacts are maintained by the Contacts controller, and the other property is maintained by a different controller.
The list of contacts is displayed using a standard foreach loop with a table/tr/td hierarchy. I want the capability for each contact in the list, to be able to delete it, so I have a Delete action in my ContactsController, and create an ActionLink in the rightmost cellof each row:
<%= Html.ActionLink("Delete", "Delete", "Contacts", new {id= contact.Id}, null) %>
Which works, EXCEPT that, I read once, and understand, it's NOT a good idea to have a Delete action reachable by an HTTP GET request, since any arbitrary person (or robot) can go in and delete anything they want.
I tried to implement it using an Ajax.ActionLink with an AjaxOptions object with the HttpMethod set to Delete, as described in the ASP.NET MVC Tuturial But my Delete method in Contacts is returning a RedirectToAction result back to the Subscribers/Index action. Since Ajax is trying to do a partial update, it appears to ignore the redirect to action (which reconstitutes the now-modified contact list), and appears to simply re-display the original page, including the deleted contact. So I really would like to do the equivalent of that tutorial (including the Confirmaton alert) without using Ajax. In other words, do an ActionLink, but provide some parameter to make it use at least a POST, and preferably a DELETE HTTP method. But I can't find anything that will let me do that. (BTW, I can't just return the PartialView as was done in the tutorial because the delete method is in the ContactsController, and view that I need to go back to is in the SubscribersController. PartialView will accept a view name, but not a controller name.)
I appreciate any insights. Thanks.
actionlink HttpMethod
gerrylowry
All-Star
20525 Points
5713 Posts
Re: Delete Record from an ActionLink
Nov 04, 2009 08:08 PM|LINK
http://www.asp.net/learn/mvc/tutorial-17-cs.aspx
http://www.asp.net/learn/mvc/tutorial-17-vb.aspx
Authenticating Users with Forms Authentication
You need to manage your users and their roles.
If certain users are not allowed to delete,
you could have a second application for
deletion purpose.
or you could have two logins for key staff,
one for every day use and the second with
admin priveleges, e.g.: Jane and JaneAdmin.
Also, I suggest you watch the video by
Phil Haack's video: http://videos.visitmix.com/MIX09/T44F,
"Ninja on Fire Black Belt Tips"
Watch the entire video, it's worth your time.
Phil discusses security and other worthwhile topics.
In addition to [Authorize] as discussed in the written tutorial,
AFAIK you can make your delete into a form and force POST
with [AcceptVerbs(HttpVerbs.Post)]. I have not tried this
although I think it will work. If you do not want a Delete
button, you can change its appearance AFAIK via css.
TIMTOWTDI =. there is more than one way to do it.
Regards,
Gerry (Lowry)
daveh551
Member
74 Points
89 Posts
Re: Delete Record from an ActionLink
Nov 04, 2009 08:28 PM|LINK
Gerry,
Thanks for taking the time to respond, but you're not really answering the question that I'm asking. Let me simplify it and rephrase it:
Is there a way to get an ActionLink to go to a new controller/action via a POST call instead of a GET?
AndyB123
Member
62 Points
11 Posts
Re: Delete Record from an ActionLink
Nov 04, 2009 09:14 PM|LINK
No, I don't think there is I'm afraid.
I think you have two options really without using Ajax.
One is to use an ActionLink to get to a confirmation page, that has a form that POSTs to your controller action.
The other way is to use a form on the original page. You probably have a list of records each with a delete link, and you need to wrap each of them in a seperate form tag for this to work. That seemed couterintuitive to me coming from a web forms background where you can only have one from per page - but it works just fine.
CodeHobo
All-Star
18647 Points
2647 Posts
Re: Delete Record from an ActionLink
Nov 04, 2009 09:17 PM|LINK
Dave - Maybe you can address this by changing the design so that the action link goes to a "are you sure you want to delete?" page (as an http GET which is fine in this case since it's not changing data). Then on that page you would do a form post that calls the delete action method with an http post.
The other option would be to include a hidden form with hidden fields on the page and have the link fire off some javascript that basically populates values into the hidden fields and submits the form.
Blog | Twitter : @Hattan
hasselhoss
Participant
1201 Points
174 Posts
Re: Delete Record from an ActionLink
Nov 04, 2009 11:07 PM|LINK
Have a look at these articles and see if they help:
http://haacked.com/archive/2009/01/30/simple-jquery-delete-link-for-asp.net-mvc.aspx
http://stephenwalther.com/blog/archive/2009/01/21/asp.net-mvc-tip-46-ndash-donrsquot-use-delete-links-because.aspx
gerrylowry
All-Star
20525 Points
5713 Posts
Re: Delete Record from an ActionLink
Nov 04, 2009 11:22 PM|LINK
it looks like you need tricks ...
basically POST is something that happens via a FORM SUBMIT ...
I would not risk JavaScript tricks because JavaScript is not guaranteed to be availble.
However: see http://stackoverflow.com/questions/688722/does-html-actionlink-post-the-form-data for an interesting idea.
Personally, I think I would stick with the original idea I expressed ... with hidden fields you can force POST as an alternative to using ActionLink ... the idea is to use multiple submit buttons ... here's an Edit example you could adapt to your Delete:
(without JavaScript)
on your .aspx page, add a second button:
<input type="submit" value="First" name="submitButton"/>
<input type="submit" value="Second" name="submitButton"/>
in your Controller:
// POST: /Home/Edit/5
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Edit(Movie movieToEdit, string submitButton)
{
if (submitButton == "First") et cetera
For submitButton == "First" you would have an equivalent hidden field that holds the Primary Key for the row that you wish to delete; et cetera. I think this would work but I am pressed for time and have not thought it through to completion.
Regards,
Gerry (Lowry)
bradwils
Contributor
5779 Points
691 Posts
Microsoft
Re: Delete Record from an ActionLink
Nov 05, 2009 12:58 PM|LINK
Why not do both? Have the link point off to a confirmation page that's only used when Javascript is disabled, and then a bit of onclick handling which posts a form to the same place the confirmation page would've posted to? Then you get 95% of your users having a clickable link which deletes directly, you're safe w/ idempotency (and spiders and pull-ahead browsers), and most of your users get a nice clean link-oriented UI.
Don't forget when using Javascript to also do a prompt before deleting (or, better, offer an undo option like applications like Gmail do).