Home :: Projects :: ProjectPier Project :: ProjectPier :: Issues

Unfortunate GET request can delete a project

By TheWalrus - Posted on January 28th, 2008
Project:ProjectPier
Component:Code
Category:bug report
Priority:critical
Assigned:TheWalrus
Status:closed - by issue author
Description

A project can be deleted without any confirmation via a simple GET request.

e.g.: http://localhost/projectpier/index.php?c=project&a=delete&id=1&active_project=1

would delete project #1 without any confirmation. The link is normally accessed via the 'projects' action of the 'administration' controller. That link is protected by a JavaScript confirmation. However, it seems safer to me to have a delete confirmation HTML page where the user is forced to reenter their password before the project is deleted. This patch creates that confirmation system.

To apply the patch, cd into your ProjectPier directory and run
patch -p0 < confirm-delete-project.diff.txt

AttachmentSize
confirm-delete-project.diff_.txt5.28 KB
#1
Submitted by Ryan on Tue, 01/29/2008 - 00:51.
Priority:normal» critical

Note that you can only delete things if you have permission to do so. This is still an important issue though.

#2
Submitted by TheWalrus on Wed, 01/30/2008 - 19:58.

here's a patch for SVN revision 104

AttachmentSize
confirm-delete-project_r104.patch 2.01 KB
#3
Submitted by TheWalrus on Thu, 01/31/2008 - 17:47.
Status:patch - code needs review» closed - by issue author

Closed in favor of Issue 629.