mneuhaus/gist:5458546

## gistfile1.txt
Even though it is done a lot (we have caught ourselves here) it is really bad practice to have "delete" links in an application.
Per definition crawlers (including search engines) are allowed to follow links and the only reason that this doesn't end up in loss of data, is because those delete links are usually behind a login.. but imagine a delete link on a wiki.

Following the notion of "safe requests" will us allow to do great optimizations in the future such as:

* Running persistence in "readonly" mode for GET
* Partly disable validation for GET
* No CSRF hassle
* *Smarter caching* of GET requests

Don't get me wrong. Flow is known to be "opinionated", but this doesn't mean you're forced to do it the "flow" way. But I don't agree with your approaches for following reasons:

> allow GET methods to tunnel other request methods

This would circumvent the whole "safe method" approach.

> extend the link.action viewhelper with a method parameter, which allows to override the request method through the request method tunneling feature

That wouldn't work out for the above reason.
But what we should provide is documentation on how to adjust your application:

The preferred way is probably to replace links with little forms where possible:
from:
<pre>
<code class="html">
<f:link.action action="delete">delete</f:link.action>
</code>
</pre>
to:
<pre>
<code class="html">
<f:form action="delete"><f:form.button>delete</f:form.button></f:link.action>
</code>
</pre>

If you really need links (I'd be interested in use cases) you could set some (data) attribute on the link and unobtrusively turn them into POSTs on click  via JavaScript.


And last but not least (or maybe also least):

You can keep everything as is and change your action from
<pre>
<code class="php">
/**
 * @param Foo $foo
 **/
public function deleteAction(Foo $foo) {
  $this->fooRepository->delete($foo);
}
</code>
</pre>

to:
<pre>
<code class="php">
/**
 * @param Foo $foo
 * @Flow\SkipCsrfProtection
 **/
public function deleteAction(Foo $foo) {
  $this->fooRepository->delete($foo);
  $this->persistenceManager->persistAll();
}
</code>
</pre>


Be warned though, that this circumvents CSRF protection (which might not be an issue here).

BTW: There is a  brand new CsrfToken ViewHelper in Fluid to keep CSRF protection working for non-fluid forms & javascript POST requests
	Even though it is done a lot (we have caught ourselves here) it is really bad practice to have "delete" links in an application.
	Per definition crawlers (including search engines) are allowed to follow links and the only reason that this doesn't end up in loss of data, is because those delete links are usually behind a login.. but imagine a delete link on a wiki.

	Following the notion of "safe requests" will us allow to do great optimizations in the future such as:

	* Running persistence in "readonly" mode for GET
	* Partly disable validation for GET
	* No CSRF hassle
	* Smarter caching of GET requests

	Don't get me wrong. Flow is known to be "opinionated", but this doesn't mean you're forced to do it the "flow" way. But I don't agree with your approaches for following reasons:

	> allow GET methods to tunnel other request methods

	This would circumvent the whole "safe method" approach.

	> extend the link.action viewhelper with a method parameter, which allows to override the request method through the request method tunneling feature

	That wouldn't work out for the above reason.
	But what we should provide is documentation on how to adjust your application:

	The preferred way is probably to replace links with little forms where possible:
	from:
	<pre>
	<code class="html">
	<f:link.action action="delete">delete</f:link.action>
	</code>
	</pre>
	to:
	<pre>
	<code class="html">
	<f:form action="delete"><f:form.button>delete</f:form.button></f:link.action>
	</code>
	</pre>

	If you really need links (I'd be interested in use cases) you could set some (data) attribute on the link and unobtrusively turn them into POSTs on click via JavaScript.


	And last but not least (or maybe also least):

	You can keep everything as is and change your action from
	<pre>
	<code class="php">
	/**
	* @param Foo $foo
	**/
	public function deleteAction(Foo $foo) {
	$this->fooRepository->delete($foo);
	}
	</code>
	</pre>

	to:
	<pre>
	<code class="php">
	/**
	* @param Foo $foo
	* @Flow\SkipCsrfProtection
	**/
	public function deleteAction(Foo $foo) {
	$this->fooRepository->delete($foo);
	$this->persistenceManager->persistAll();
	}
	</code>
	</pre>


	Be warned though, that this circumvents CSRF protection (which might not be an issue here).

	BTW: There is a brand new CsrfToken ViewHelper in Fluid to keep CSRF protection working for non-fluid forms & javascript POST requests