6

I'm working on a standard cart for an ecommerce style application. In the cart we have the standard process of allowing a user to update the qty for an item. I understand how to rig this up using the standard post method passing information to an action in my controller. I did not know about the verbs PATCH and PUT.

If I have a custom action like the one below in my controller (which is called via POST) is PATCH using standard actions like "update" considered more secure? I'm still learning more about rails and PATCH and PUT is a little confusing to me.

carts_controller

def update_cart_qty
  @item = Item.find(params[:line_item][:item_id])
  quantity = params[:line_item][:quantity]

  # if qty is a not a number or negative set to 1 
  quantity = '1' if !quantity.match(/^\d+$/)

  if quantity == '0'
    result = current_cart.line_items.where("item_id = ?", params[:line_item][:item_id]).destroy_all
    respond_to do |format|
        format.js {flash.now[:notice] = "Removed \"#{@item.title}\" from your cart."}
        format.html {flash[:error] = "Removed \"#{@item.title}\" from your cart."}
    end
  else
    result = current_cart.add_item_and_update(@item, quantity, branch, current_user, price)
    current_cart.save
    respond_to do |format|
        format.js {flash.now[:notice] = "Qty \"#{quantity}\" of item \"#{@item.title}\" was updated."}  
        format.html {flash[:notice] = "Qty \"#{quantity}\" of item \"#{@item.title}\" was updated."}
    end
  end
end
Bryan.I
  • 373
  • 3
  • 11
  • 3
    Possible duplicate of [PUT vs POST in REST](http://stackoverflow.com/questions/630453/put-vs-post-in-rest) – drhining Jan 07 '16 at 21:54
  • Thanks drhininh I did not come across that thread while searching stackoverflow. That is very helpful. – Bryan.I Jan 07 '16 at 22:27
  • I'm voting not to close because this question is about "POST vs PATCH" not POST vs PUT - the answer is to go look at the other post... but people searching specifically for PATCH will likely find this question and not the other one. – Taryn East Jan 07 '16 at 23:49
  • Taryn makes a good point. I probably could not find that question because I was searching for PATCH. Also if I understand it correctly, in rails 4 specifically, PATCH is replacing PUT for updates. – Bryan.I Jan 08 '16 at 18:02

1 Answers1

8

The docs at jsonapi.org have a good discussion about PUT vs PATCH.

Using PUT to partially update a resource (i.e. to change only some of its state) is not allowed by the HTTP specification. Instead, PUT is supposed to completely replace the state of a resource.

[snip HTTP spec blockquote]

The correct method for partial updates, therefore, is PATCH, which is what JSON API uses. And because PATCH can also be used compliantly for full resource replacement, JSON API hasn't needed to define any behavior for PUT so far. However, it may define PUT semantics in the future.

In the past, many APIs used PUT for partial updates because PATCH wasn’t yet well-supported. However, almost all clients now support PATCH, and those that don’t can be easily worked around.

The basic idea is that PUT should only be used when you're completely replacing a resource and PATCH should be used for partial replacement/updates. POST can be used for any non-idempotent operation.

Community
  • 1
  • 1
drhining
  • 222
  • 1
  • 11