Don't send entity fields using query parameters on admin edit pages #60

GabrielMajeri · 2024-04-20T17:59:08Z

I've seen that the admin interface uses query parameters in the edit page href to store and pass the fields of the existing entity. This is not okay for several reasons:

It's inefficient and URLs have length/character limitations.
It's a potential security issue (we don't want secret keys and such being stored in the less-secured page URL).
It's weird for the user to see such internal information in the page's URL.

How this should work instead is:

Use a Next.js route parameter to pass in the entity ID.
Look it up in the database; render a 404 error if it doesn't exist anymore.
Check if the user has permissions to edit/view that entity.
Use the data loaded from the database as initial values for the form fields.

The text was updated successfully, but these errors were encountered:

GabrielMajeri added enhancement New feature or request front-end Issue relating to UI/UX back-end Issue related to the back end logic of the application admin-interface Issues related to the admin interface labels Apr 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't send entity fields using query parameters on admin edit pages #60

Don't send entity fields using query parameters on admin edit pages #60

GabrielMajeri commented Apr 20, 2024

Don't send entity fields using query parameters on admin edit pages #60

Don't send entity fields using query parameters on admin edit pages #60

Comments

GabrielMajeri commented Apr 20, 2024