Actions REST, a poor man's URI interface to actions

I rely on actions extensively to build functionality in my sites. I find them convenient for business logic because they are packaged chunks of functionality that can be called from many places, including Trigger, Rules, and VBO. Today, I've added a new place where actions can be called: the URL. Actions REST provides this functionality.

Consider a job site where a supplier receives an invitation to participate in a project. The supplier logs on the site and views the invitation, then wants to accept or decline it. Regardless of how the invitation status is coded in the back-end (e.g. via Workflow states or a CCK field), there are probably ready-made actions that can let you manipulate that state without coding. But, how to invoke such actions from the UI on the node? Actions REST provides half the solution: given that you manually code the action link (e.g., large red buttons "Accept" and "Decline"), this module will interpret the URL and invoke the action for you. It will also redirect the page back where you were, unless you specify otherwise.

I hope other Drupal heads find this module useful!



It would be easy to introduce security vulnerabilities with this module with minor coding errors in the module or if configured incorrectly. What measures are in place to reduce this risk?

Thanks for the feedback. When

Thanks for the feedback. When I created this module, I was just thinking of the convenience of calling actions without having to hand-code the infrastructure on every site, but several people have pointed out the security risks inherent with opening up this functionality on the HTTP GET interface, including CSRF attacks.

I am now weighing the effort needed to secure this module, versus finding alternative means altogether. To me, security would mean:

  • Recoding the module to make POST requests through Form API, which would solve the CSRF vulnerability if properly coded, and
  • Requiring special registration of exposed actions, as opposed to opening them up wholesale.

I am grateful for feedback from the community, as I learn about new concerns and ultimately contribute useful modules that benefit the whole community.

Point #2 (Requiring special

Point #2 (Requiring special registration of exposed actions, as opposed to opening them up wholesale) is done. Looking into point #1.

Looks really handy.

Looks really handy. I'm kinda surprised something like this didn't exist before. Thanks!