Home :: Projects :: ProjectPier Project :: ProjectPier :: Issues

Unfortunate GET requests can delete objects

By TheWalrus - Posted on January 31st, 2008
Project:ProjectPier
Component:Code
Category:bug report
Priority:critical
Assigned:TheWalrus
Status:closed - by issue author
Description

Most objects (client companies, projects, users, messages, tasks, milestones, files) can be deleted without any confirmation via a simple GET request. This supersedes Issues 622, 624, and 625.

e.g.: http://localhost/projectpier/index.php?c=company&a=delete_client&id=999

would delete client #999 without any confirmation. The same works for the following object controllers: Project, User, Message, Task, Milestone, and Files. The Forms controller probably also has this issue, but I can't even create a form for some reason.

These links are normally protected inside the application by a JavaScript confirmation. However, it seems safer to have a delete confirmation HTML page where the user is forced to reenter their password before the object is deleted. This patch creates that confirmation system.

To apply the patch, cd into your ProjectPier directory and run
patch -p0 < confirm-delete-all_r107.patch

As indicated by the patch filename, this patch works against SVN revision 107.

AttachmentSize
confirm-delete-all_r107.patch36.83 KB
#1
Submitted by TheWalrus on Thu, 01/31/2008 - 19:34.
Assigned to:Visitor» TheWalrus

Bleh. First patch was missing some files, and was missing the confirmation for deletion of a folder in the Files controller.

AttachmentSize
confirm-delete-all_r107_0.patch 36.83 KB
#2
Submitted by jamesu on Thu, 01/31/2008 - 23:09.

Nice, though seems to overcomplicate the deletion process.

Have you tried blocking out all requests methods except POST? I've done that in a few other projects (with a bit of JavaScript which makes a temporary invisible form and then submits it) and it seems to work rather nicely.

Though one obvious limitation of that is that it fails miserably when JavaScript is disabled. What a dilemma. ;)

#3
Submitted by miknight on Mon, 02/04/2008 - 10:07.

I've cleaned up the patch to bring it in line with coding standards (mainly). It would be good if someone else could just quickly apply and test it in case I've screwed something up.

Thanks for providing this TheWalrus!

AttachmentSize
confirm-delete-all_r108_0.patch 37.79 KB
#4
Submitted by miknight on Mon, 02/11/2008 - 10:54.
Status:patch - code needs review» closed - fixed

Committed with revision 112. Thanks very much TheWalrus!

#5
Submitted by miknight on Thu, 02/14/2008 - 01:06.
Status:closed - fixed» patch - code needs work

OK, looks like we were missing some files. I have attached a zip file of (what should be) all the missing files. We'll come up with a better solution later, but for now you can just download this zip file and extract it into the root of your ProjectPier install.

e.g. cd ~/public_html/projectpier && unzip ~/del_files.zip

It should extract with the right paths (although I haven't actually tested it ;)

Let us know if it works for you!

http://www.youshare.com/view.php?file=del_files.zip

We will probably release 0.8.0.2 to fix this.

#6
Submitted by miknight on Fri, 02/15/2008 - 02:33.
Status:patch - code needs work» closed - fixed

I've cleaned it up and committed it as revision 117 to trunk. Version 0.8.0.2 should be coming up soon.

#7
Submitted by Tim on Fri, 02/29/2008 - 07:14.
Status:closed - fixed» closed - by issue author