Handling POST requests in Yusef
Sunday, February 14, 2010 4:40:26 PM
In its latest version, Yusef has introduced a new route API, extending the capabilities of the addSectionListener API. Basically, a route extends the concept of section/action. The route is matched by a regular expression (instead of a section name), and an action is attached to it. This new version also enforces security - a given for Opera - of the section/actions API.
In particular, it was also possible to handle any POST in the sectionListener, without having a nonce. The nonce was however required for action handling. Sections were particularly useful when using AJAX components relying on POST to pass information back to the application: these component may not have a sufficient level of customization to pass that nonce.
This worked all good in the previous version. However, the newer version of Yusef makes sure that every POST has a nonce attached. Otherwise, the application returns HTTP error 400, Bad Request. How can we deal with these AJAX components then? By adding "disablePOSTSecurityCheck: true" to the section listener options.
With all these options around, I thought it might be a good idea to get a table of every option. Although it is not currently the ultimate reference, I hope it will get more and more complete with the time:
||Whether POST are accepted without a nonce being present
||Use a template on the page (Note: for the content and _index sections, the default value is true).
||Restrictions applied to the section/action.
||Who can access the section ('private', 'public' or 'limited').
||Who can access the action (one of the levels of accesstypes defined in Yusef.plugins.acl.getAccessTypes()).
||Whether the access can be modified later on.
||Whether the content must be translated.