In studying Web API design (regardless of the specific technology), I often come across these two uses of the DELETE verb:
DELETE /SomeResource/123 /* deletes entity with ID 123 */
DELETE /SomeResource/ /* deletes all entities */
I always get the feeling that there's something wrong with providing the latter as an operation in most applications. In rare cases where the resource is trivial, sure, why not just blow the whole collection away without a second thought? And yes, I understand that typically it's the client app's job to present an "Are you sure?" confirmation. But I like to envision my API being driven in a safe way even by some low-level agent like Fiddler.
So is there some mechanism I'm missing, like a way for the server/API to initiate some kind of dialog with the client agent to get confirmation before blowing away 10,000 customer records?
EDIT Yes, assume that I do want to provide the functionality to remove all entities in a given scenario, but feel compelled to avoid it because of the perceived danger (typos, not paying attention, etc; the things that a UI confirmation dialog is for)
答案 0 :(得分:-1)
您永远不会提供在网络API中删除所有功能的选项。
虽然可能存在例外,但通常这样做很糟糕,因为它允许用户执行不可逆转的操作。另一方面,想想有意图的人找到这个终点是多么可怕啊!
大多数库(如ASP.NET)都要求在接受请求之前显式实现每个方法(这在路由期间在ASP.NET中处理)。所以,如果你不提供DELETE /someresource/,问题永远不会出现。这一点特别棒,因为你不会意外地用拼写错误地吹走数据。
如果你真的非常想要这个功能,那么你将100%确定你有理由拥有它,因为这是一个危险的,危险的终点。
底线?我不会提供它来保护您的数据。