

The reason behind the half-REST design pattern - william-shulman
http://stereolambda.wordpress.com/2010/04/21/the-reason-behind-the-half-rest-design-pattern/

======
nzmsv
Using GET to delete is just asking to have a search crawler wipe your entire
site. Not only is this not RESTful, it violates the RFC.

~~~
fnid2
Not requiring a username and password to delete is just asking to have your
entire database deleted by a click happy anonymous web browser.

"Ooo... look! I can delete whatever!... Okay..." click click click click...

~~~
nzmsv
...and that's why I shouldn't post at 2am :)

------
udfalkso
3\. Very few people even know that "PUT" and "DELETE" exist.

~~~
fnid2
4\. Four CRUD operations are insufficient for even modestly complex
applications. Many REST-like api's include the type of operation to perform in
the request, but this is against the rigid structure of the REST interface.

------
brg
If someone more schooled in web design wouldn't mind answering, what problems
arise of by using the GET add-contact api as described in the post? What is
the benefit of using xml in the body of a PUT or POST verb vs the headers?

~~~
nzmsv
From RFC2616 9.1.1:

 _...the convention has been established that the GET and HEAD methods SHOULD
NOT have the significance of taking an action other than retrieval._

Why? GET should mean simply getting the page. Not doing so runs the risk of:

\- Bookmarks breaking (what if someone bookmarks the add-contact link?)

\- Google deleting everything because it followed the links (there is an
example of this on The Daily WTF)

\- Easy cross-site request forgery attacks (I post an "image" with the url
that deletes your address book on some message board. You are still logged in
with a cookie, so it goes ahead)

Even if the site in question is doing something to prevent the above, why
reinvent the wheel and not just use POST (or a more RESTful method)?

As for XML, lots of people hate it, and there is no real requirement to use it
(unless your users want it, of course). JSON or even form data can work.

As for headers, there might be a risk of a stupid proxy server mangling them,
but nothing should mess with the body of the request. And it's just more
conventional to describe the request as the request body, and have headers act
as the meta-information about it. (I'm assuming you meant HTTP headers)

~~~
brg
Thank you for the explanation.

In the example, the add-contact URI was dynamically generated so the deletion
from following a url and and bookmark breaking did not seem especially
pertinent.

But your explanation made a lot of points clear. One maintains the integrity
of the call by placing parameters in the body. Avoiding proxy and caching
issues inherit in using GET, as well as avoiding xss, makes immediate sense.

~~~
nzmsv
There can be workarounds, but using something that's not broken in the first
place is better. Every one of those issues comes from other software expecting
the spec (RFC) to be followed where it's not.

Another thing I remembered after I posted. There is no universally agreed upon
maximum query string length, so passing parameters in GET is web server
dependent.

------
psadauskas
1) Use the ad-hoc standard of a form parameter "_method=PUT|DELETE".

2) Read the "Content-Type" header of the request to find out how to parse it.
Whats so hard about that?

REST is where Javascript was 8 years ago, everybody things its horrible
because very few people actually understand how the whole thing works, and all
the implications of that.

------
techiferous
I think Ruby on Rails default scaffolding actions and routing have influenced
the popularity of the half-REST design.

~~~
wycats
Rails default scaffolding and routing absolutely do use the full REST design,
supporting both PUT and DELETE as well as inbound XML and JSON payloads

~~~
techiferous
Sorry. I thought Rails had to make compromises, like faking PUT.

~~~
WALoeIII
It fakes the PUT to help out browsers. If you pass in a _method paramater it
overrides the actual HTTP verb, but this is actually done in middleware above
Rails, the controller sees it as PUT.

