What Is Wrong With Using GET To Remove Content?

Question

I know it goes against the REST architecture but, from a pragmatic viewpoint, what is wrong about using GET request method to remove data from a database?

Let's say I built an application that has an administration panel. In administration panel admins can remove items by accessing URIs like these:

/admin-panel/items-controller/remove-action/id/X

Where X is a primary key of an item to be deleted.

Are there any practical disadvantages to using this approach? Please educate me because I don't understand why POST should be used for this.

My main problem with using POST for removing data is that instead of a simple link (easy to style in CSS) you have to print a form with POST method next to each item and then style it to look like a button/link. Or am I completely misunderstanding?

Answer 1

Three words: search engine spiders.

Or Browser plugins that prefetch links to speed up browsing. All kinds of software implicitly assumes that a GET request can be made freely without negative effects. It's not just REST, the HTTP standard itself (RFC 2616) says so:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Answer 2

Example: you are logged in your admin panel with full privileges (able to delete). I'm a user with restricted privilege but with a knowledge about your architecture. So I can easily give you a link to some "trusted" page where I can put

<img src="/admin-panel/items-controller/remove-action/id/X" width="1" height="1">

You load the page, item is deleted because image request is sent from your admin account.