Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Settings: Properly ignore settings that are not allowed to be updated dynamically #985

Closed
kimchy opened this issue May 31, 2011 · 3 comments

Comments

Projects
None yet
2 participants
@kimchy
Copy link
Member

commented May 31, 2011

Update Settings: Properly ignore settings that are not allowed to be updated dynamically. (Currently, everything is passed, which is bad since its confusing).

@kimchy kimchy closed this in c134233 May 31, 2011

@ofavre

This comment has been minimized.

Copy link
Contributor

commented May 31, 2011

This kind of solves a part of #981.
It depends on whether you actually do or don't want to give the ability to use GET parameters for the PUT or POST updating the settings. Anyways, pretty (the only legal parameter for update settings I think) won't be taken as a setting anymore.
Further discussion on #981?

@kimchy

This comment has been minimized.

Copy link
Member Author

commented May 31, 2011

Yea, this helps with #981. Lets continue there since I don't understand what GET parameters are... :)

@ofavre

This comment has been minimized.

Copy link
Contributor

commented May 31, 2011

Having a PHP background, parameters can come from 2 source: the URL, the request body (often present only in case of POST/PUT method).

Do not hesitate to skip the following paragraph, I'm in verbose mode this night...
The URL is basically http://host:port/path/to/resource?firstSoCalledGetParam=value&etc.
firstSoCalledGetParam and etc are what PHP calls GET and POST parameters.
If the request body has a Content-Type: application/x-www-form-urlencoded, then the some other values can be given (under the same format var=val&var2=val2, with urlencoding). This is what curl does when using the -d flag (although it does not change the form of the value to match the var=val&var2=val2 format).
The latter parameters are called POST parameters in PHP.
When coding a PHP webpage, one will make sure of the origin of the parameter, preventing easy parameter injection by modifying the URL, so that only user friendly parameters are exposed as GET parameters through the URL, and making sure the other one do come from the request body as POST parameters.

To conclude: GET and POST parameters somehow separate the presentation from the data.
This is why I proposed reading only POST parameters for a POST to the Update Settings API, leaving GET parameters only configure the presentation of the answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.