Webapp security: Different DB permissions for different requests
Automated disclaimer: This post was written more than 15 years ago and I may not have looked at it since.
Older posts may not align with who I am today and how I would think or write, and may have been written in reaction to a cultural context that no longer applies. Some of my high school or college posts are just embarrassing. However, I have left them public because I believe in keeping old web pages aliveāand it's interesting to see how I've changed.
When a GET hits your server, your RESTful webapp should not alter the database. Why not enforce this at the permissions level?
GET should only be able to SELECT, UPDATE, and INSERT. (DELETE is up to your discretion. I prefer to flag rows for deletion and periodically run a script to archive or remove these rows.) Now, I'm sure you intend to follow this rule in your webapp! It's just too easy.
No comments yet.
Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).