I created a sample ASP.NET MVC application that I plan to post at the http://www.ASP.net/mvc website. While the application was being code reviewed by the ASP.NET MVC Feature team, a surprising objection surfaced.
The application is extremely simple. It contains a view that renders a list of database records. Next to each record, there is an Edit link and a Delete link (see Figure 1). Pretty standard stuff. Or, so I thought…
Figure 1 – A Grid of database records
Here’s the objection. You should not use a link for deleting a record. Using a Delete link opens up a security hole.
Read the whole post for what happens if you provide a Delete link in a typical MVC app, and some ways you can avoid the negative security implications. Really good tip!