0

I have following piece of code:

 public ActionResult ReadEmployee([DataSourceRequest]DataSourceRequest request)
        {
            return Json(GetEmployees().ToDataSourceResult(request), JsonRequestBehavior.AllowGet);
        }

Which I pretty much copied and pasted from Kendo Grid Website with some assumptions like I will have to make Ajax Get request from my View to be able to call this method. However, it turned out that the default behavior of the grid is actually Post every time it comes back to the controller and it works !!

This is really confusing to me because I really thought I will see some error because of

JsonRequestBehavior.AllowGet

But it is serving the request. Am I missing anything here?

Lost
  • 12,007
  • 32
  • 121
  • 193
  • 1
    The default behavior is to allow POST but deny GET (which is why you need `.AllowGet` in order to make a GET request). [This answer](http://stackoverflow.com/questions/8464677/why-is-jsonrequestbehavior-needed) explains in more detail. –  Mar 05 '15 at 21:27
  • Isn't it a little counter intuitive that POST which simply by nature of it, is able to change the state of your server. That is by default NOT guarded from MVC but GET is becuase we are worried that someone will see sensitive information that they are not supposed to see. What about the sensitive information that they are not allowed to change? – Lost Mar 05 '15 at 21:32
  • 2
    @CoffeeBean Its to do with a Cross-Site Request Forgery (CSRF/XSRF) attack that the GET exposes. External sites could potential read data when calling endpoints via the script tag. The framework has disabled GET by default so developers have to make the consciece descision to enable it. – heymega Mar 05 '15 at 22:22
  • If you put it in an answer then I can select it as an answer and close the thread :) – Lost Mar 13 '15 at 20:05

1 Answers1

0

By default MVC allows posts to actions.

Cirem
  • 840
  • 1
  • 11
  • 15