I need to give an external payment site a return url to my site after a customer pays. It will be to my create action in a RESTful subscription controller.
Ive tried giving the payment site this
blah.com/users/7/subscription/?_method=POST
but on return my app keeps trying to call my show action presumably because it thinks its a get request and not a post. So somethings wrong with how i pass the method in the url but i cant figure out what.
Users are plural and they can only have one subscription which is defined in my routes as singular i.e. map.resource
Can anyone help?
You can't POST from a GET request.
If the calling application is simply executing a URL this is a GET request.
If the payment site does not support POSTing back to you then you can't do it.
I would ask the payment site if they offer the ability to POST to you. Many do.
If the external service isn't calling your url with a POST, then it is an issue with that service, not your application. Also, keep in mind that CSRF will protect your POST, PUT, DELETE without a token, so you'll need to disable it for this method, and hopefully you have some other way of authenticating that request.
Related
Can I make any action like post comment, upload video, etc.. by send a GET Request instead of POST in Vimeo API? like graph facebook api, can post an comment by GET Request with method parameter
Simply put, you can't. Our API is RESTful and does not allow this type of behavior. If we document an endpoint, like uploading a video, as POST, you can only do that with a POST.
Likely not in the vein of StackOverflow, but this post is oddly relevant here.
https://twitter.com/rombulow/status/990684453734203392?lang=en
In sum: GET requests should be idempotent by definition. By defining a GET request to perform some action on the backend, you may run into issues with browsers that preload content based on page links. A sample manifestation of this would be a garage door opening whenever one opens a particular tab in Google Chrome.
Would not recommend ever having a GET perform an action on the BE.
I have an app where I try to adhere to REST.
The app receives requests for external links that don't belong to the app, so the sole purpose of the action is to redirect the request to the external URL.
My suggestion is to have the following controller/action: redirects_controller#create.
Is my thinking correct or should it be the show action instead?
REST (apart from Rails) is about using the correct HTTP method for the correct action. The Rails part is just using the conventional controller action for a given HTTP method.
So, if you're doing a 301 or 302 redirect to another page, which browsers handle by issuing a GET request to the URL in the redirect response's Location header, do it in a show action. This will allow the user's browser to cache the other page when appropriate, and to not notify the user before redirecting.
(There is a way to redirect POSTs, but you didn't mention it so I expect you're talking about regular 301/302 redirects.)
Coming from a Java background, the REST actions must be related to CRUD operations. Requests that do not change the resource like in your case where the intent is to redirect to another page must be tied to a GET verb or show in your example.
If you were to create a new resource you would use POST.
A more detailed explanation can be found in Richardson's rest maturity model level 2
please help me
I have created a controller 'users' with a view 'login' with a form to login users, I have changed the routes.rb changing get user/login to post user/login
now when I go to localhost:3000/users/login appears:
Routing Error
No route matches [GET] "/users/login"
Try running rake routes for more information on available routes.
please what should to do to works that page, that problem is because I have changed 'get' to 'post' in the routers, there are something more that I should to add?
When you just go to that url in your browser, the type of request is GET - but, as you said, there's no route for this request now.
POST route will be useful when you actually submit a form on this page - with simple submit (specify method attribute as POST) or AJAX request.
You can use both in routes.rb:
get user/login
post user/login
This means that the controller will recognize requests made using both methods. It is up to your controller logic to sort it out. The get would typically be used to render the login form; post would receive the user's username and password, authenticate him/her, and then redirect to a page for successful login (or unsuccessful, if necessary).
I may spark some controversy by saying this but if you are a beginner and you are looking to make a "serious" web site with user authentication, you may not want to leave anything up to chance and instead use a gem like devise (https://github.com/plataformatec/devise) to do it for you. Some will say that it's better to learn how to do it from scratch first, and there's some sense in that, too.
I know that I can use annotation or Request mapping to restrict access to an ACTION by some specific ROLES. But now I have a different circumstance.
My scenario is: every user of my site can create posts, and they can make their own post public, private, or only share to some other users. I implement sharing post by a database table PERMISSION, which specify if a user have the right to view a post or not.
The problem arises here is that when a customer access a post through a direct link, how can I determine he/she have the privilege to view it? There's 3 circumstances:
The post is public, so it can be viewed by anyone (include not-login
user)
The post is private, so only the login-owner can view it
The post is sharing, it means only the login-user that is shared and the
owner can view it.
I want to process like this:
If the requested post is public: ok.
If the requested post is private/sharing: I want to redirect
the customer to the login page; after
logging in, the user will be re-direct
to the page he wants to see.
The problem here is that I can redirect the user to login controller/ auth action, but after that I don't know how to redirect it back. The link to every post is different by post_id, so I can't use SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
Could anyone know a way to do this?
Dunno about grails, but spring security has a spring-security-redirect parameter which can be used to redirect the user to the specified url on successful authentication.
I think you could add your own filter that will be executed before the action is called and do the verification of the post permissions there. You can find more information about Grails Filters here.
Have you looked at the Grails Spring Security ACL plugin? I don't know it very well, but it's designed to restrict access to particular instances:
http://grails.org/plugin/spring-security-acl
I have found a quick workaround for this problem:
If the user is logged in: check the user's privilege, and return the appropriate result.
If the user is not logged in: At view action, set the post_id by:
session.post_id = 8
Redirect the user to the Login Controller/ Auth action.
At checkrole action(which is my grails.plugins.springsecurity.successHandler.defaultTargetUrl in Config.groovy), if session.post_id exists, use it to build the link for re-directing to the view action. Before redirecting, clear the session.post_id.
I want to grant users access to my API (hosted on heroku.com) from their sites.
But a strange problem occurs, when i want them to allow to post to the api:
Data sent from an correct form with the correct action-url (e.g. "http://myapp.com/projects/123/tasks/321/todos") - the params get serialized and send via jQuery - i encounter an "ActionController::MethodNotAllowed" with the additional info: "Only get and post requests are allowed", that re-routes to ApplicationController#index with :method => :options.
Rails doesnt extract the params for project_id (123) and task_id (321) from the url, neither are any further request_parameters, path_parameters or query_parameters available.
This behaviour occurs, when I POST from external sites, but doesn't occur, when posting from an html-page on my local machine. My first thought was about wrong encoding, but how to fix that problem.
Edit:
I am using authlogic (not devise :-D) and for the :create action the protect_from_forgery is already skipped.
Any suggestions appreciated
i guess that happens because rails tries to protect your form CSRF attacks.
you can comment out the protect_from_forgery line in your ApplicationController to test it.
but im not sure if thats the right way of dealing with this issue in the production environment.
Okay. I'll try and answer the right question this time (see other comment).
So I've thought about this, and I'm wondering, is this a case of the jQuery call attempting a PUT request? When you use the local form Rails will POST the data, but add the extra _method field to emulate a PUT.
Don't know if you are using jquery-rails, but this takes care of setting the _method parameter, and the PUT/POST verb translation for you in your AJAX calls.
The problem occured due to the cross domain policy - the request was made from another domain - and because I was using a recent browser that supports CORS, it was sending an OPTIONS-request first to get known from the server, which actions are allowed for this domain.