I have some ‘micro-actions’ for changing statuses for things like student notes and I would much rather not have to have forms for each “Close Note” & “Reopen Note” button in a dropdown sitting in a repeater like below just for a tiny update.
A few questions come to mind in how to forego forms.
Can I use a Server Connect route with parameters? And if so, how do I get the route to run as an XHR request? Currently, it navigates away from the current page & goes to the response from the SC action. The current setup I have:
The whole path: /api/students/notes/closeOpenNote?dir=:dir&date_closed=:date_closed&staff_closed=:staff_closed&id=:id
Should I just add a Server Connect element and use the $_GET variables so I can set the parameters during the SC load action? I know $_GET should be used for retrieving data, not posting, however, this seems to be the easier option.
I would be interested to know if you can do this also!
Make a minor change to a record without having Post back to server connect but use GET.
I am assuming the change would insert a parameter into the url or can this be done without doing that. Have the parameter update client side and refresh the Server Connect to Get the updated Variable or value?
You cannot use POST variables without forms.
You can use GET variables, and these are being sent as URL params when you are calling the server actions.
You don’t need a direct link to the server action to use GET vars. Just include your server action on the page and set it to no auto load.
On click of your button use dynamic events > click > load server action, there you can pass the parameters you defined for it.
This way you will stay on the same page.
Note that using GET variables this way, you should make sure to secure your server action as the link and parameters can be seen in the dev tools and you don’t want anyone with the link to be able to load it.
Note that using GET variables this way, you should make sure to secure your server action as the link and parameters can be seen in the dev tools and you don’t want anyone with the link to be able to load it.
Could you explain a little more on securing the server action?
Is there a particular reason why you don't want to use forms? I would have thought using POST with forms would usually be preferable in cases like this. There probably wouldn't be any need or advantage in sending URL parameters using GET.
More of a convenience thing really. Rather than having to create a form, hidden fields etc for every, what I’m calling, microaction, I think that it would be much easier if we were able to just load a SC with input params like we can with GET actions. However, @Teodor has answered my question that this is not possible to do with POST. So if I just add a Security Restrict to my SC I should be grapes.
You should do that independently of the verb used. The technology behind POSTs is not more secure than the one for GETs.
Anyone with malicious intent can fake POST requests.
Irrespective of whether you use GET or POST, you have to perform some checks to make sure that the user is authorised/the data being submitted is full/the data is in the right format/the data doesn’t contain anything it shouldn’t etc.
The most common way to handle this is some combination of some/all of
Security Restrict, data validation and queries
The bottom line is you can NEVER trust that the data being sent to your server (POST/GET) is correct and from an authorised source.
