Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get request should not write to database note added. #16329

Merged
merged 1 commit into from
Jul 29, 2014
Merged

Get request should not write to database note added. #16329

merged 1 commit into from
Jul 29, 2014
+2 −0

Conversation

deependersingla
Copy link

Get Request should not write to database according to security guideline's note added to Section 3.7 HTTP verb constraint.

@deependersingla deependersingla mentioned this pull request Jul 29, 2014
Closed
zzak
zzak reviewed Jul 29, 2014
View reviewed changes
guides/source/routing.md
@@ -645,6 +645,8 @@ match 'photos', to: 'photos#show', via: :all

NOTE: Routing both `GET` and `POST` requests to a single action has security implications. In general, you should avoid routing all verbs to an action unless you have a good reason to.

NOTE: 'GET' in rails don't check for CSRF token. According to security guideline's you should not write to database from 'GET' requests. More on [this](security.html#csrf-countermeasures)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"..in Rails doesn't check for CSRF token."

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"You should never write to the database from 'GET' requests, for more information see the security guide on CSRF countermeasures."

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right @zzak Thanks for edit. How should I add them or will you do this when merging it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deependersingla you can fix those statements yourself and git commit --amend in your branch. Also, make sure to add a [skip ci] in the commits message as this is just doc changes.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arthurnn Done deependersingla@4acde5a.

Thanks

@zzak
Copy link
Member

zzak commented Jul 29, 2014

@deependersingla Could you squash it to one commit? And don't forget "[ci skip]" in the commit message.

Then I can merge this.

Thank you!

@arthurnn
Copy link
Member

This is one way to squash those 2 commits in one.

git reset --soft HEAD~2
git commit -m"Get request should not write to database note added. [skip ci]"
git push -f origin HEAD

@deependersingla
Copy link
Author

thanks @arthurnn and @zzak really appreciate your help and support to rails, I am also looking for long time support though I am a beginner.

@deependersingla
Copy link
Author

@zzak Done

zzak pushed a commit that referenced this pull request Jul 29, 2014
Merge pull request #16329 from deependersingla/master
89ad1d8 
GET request should not write to database note added. [ci skip]
@zzak zzak merged commit 89ad1d8 into rails:master Jul 29, 2014
@zzak
Copy link
Member

zzak commented Jul 29, 2014

@deependersingla Thank you!

zzak pushed a commit to zzak/rails that referenced this pull request Jul 29, 2014
💅 from rails#16329 [ci skip]
a240ad0
@deependersingla
Copy link
Author

thanks @zzak I am very happy, always wanted to submit something to rails. Hope can do something more in future this is what I am working on now: #16266

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@deependersingla @zzak @arthurnn