Issue 2550563
Created on 2009-07-13 01:50 by stefan, last changed 2009-07-20 06:27 by richard.
|
| msg3768 |
Author: [hidden] (stefan) |
Date: 2009-07-13 01:50 |
|
Roundup seems to now be trying to ensure that modifications occur via
HTTP POST transactions, presumably as a security thing. (It's hard to
construct a POST than simply to type a URL into your browser; this
isn't more secure in a theoretical sense, but it is more secure in
practice.)
But, these checks aren't actually generating errors. For example,
from RetireAction.handle:
if self.client.env['REQUEST_METHOD'] != 'POST':
self.client.error_message.append(self._('Invalid request'))
But, note that there is no return statement at this point, or
exception thrown. Therefore, all that's going to happen is that the
user will see the error -- but the retire is still going to occur.
There's no security, but there will be user confusion -- the user will
see an "Invalid request" error *but the transaction will still occur*.
The user will perhaps think it didn't, but it did. Furthermore,
that's a horrible error message; it should be something like "Actions
that modify the database must be done via HTTP POST" or something.
The same problem seems to be true in all cases where this check is
performed.
|
| msg3822 |
Author: [hidden] (richard) |
Date: 2009-07-20 06:27 |
|
Apparently I fixed that in r4210
|
|
| Date |
User |
Action |
Args |
| 2009-07-20 06:27:16 | richard | set | status: new -> closed
resolution: fixed
messages:
+ msg3822 |
| 2009-07-13 01:50:25 | stefan | create | |
|