Plugin authors can choose an action, page handler, or directly calling a file to serve pages to users or to update data in the database. There are certain times when one of these methods is preferable to the others.

Actions

Actions are transient states to perform an action such as updating the database or sending a notification to a user. As of Elgg 1.7 all actions require action tokens. Used correctly, actions are secure and prevent against CSRF and XSS attacks.

Action best practices

Never call an action directly by saying:

...href="/mod/mymod/actions/myaction.php"

This circumvents the security systems in Elgg.

There is no need to include the engine/start.php file in your actions. Actions should never be called directly, so the engine will be started automatically when called correctly.

Because actions are time-sensitive they are not suitable for links in emails or other delayed notifications. An example of this would be invitations to join a group. The clean way to create an invitation link is to create a page handler for invitations and email that link to the user. It is then the page handler's responsibility to create the action links for a user to join or ignore the invitation request.

Page Handlers

Page handlers are used to deliver content to users. This content can be HTML pages, RSS feeds, or downloadable files. Under most circumstances, page handlers should not be used to perform actions.

Directly calling a file

This is an easy one: Don't do it. With the exception of 3rd party application integration, there is not a reason to directly call a file in mods directory.