View Issue Details

IDProjectCategoryView StatusLast Update
0009123mantisbtrelationshipspublic2017-02-24 13:46
Reporterprzemek7bc Assigned Tovboctor  
PrioritynormalSeverityblockReproducibilityalways
Status closedResolutionunable to reproduce 
Product Versiongit trunk 
Summary0009123: Can't delete relation of a bug
Description

The link to delete a bug relation will generate a HTTP GET request, but bug_relationship_delete.php calls helper_ensure_post() to ensure the request uses POST method.

I could make a patch, but I don't know which request is corrent, GET or POST.

Steps To Reproduce

Add a bug relation and try to delete it.

Tagspatch
Attached Files
relationship_delete.patch (1,665 bytes)   
Index: core/relationship_api.php
===================================================================
--- core/relationship_api.php	(wersja 5247)
+++ core/relationship_api.php	(kopia robocza)
@@ -652,7 +652,8 @@
 		# add delete link if bug not read only and user has access level
 		if ( !bug_is_readonly( $p_bug_id ) && !current_user_is_anonymous() && ( $p_html_preview == false ) ) {
 			if ( access_has_bug_level( config_get( 'update_bug_threshold' ), $p_bug_id ) ) {
-				$t_relationship_info_html .= " [<a class=\"small\" href=\"bug_relationship_delete.php?bug_id=$p_bug_id&rel_id=$p_relationship->id\">" . lang_get('delete_link') . '</a>]';
+				//$t_relationship_info_html .= " [<a class=\"small\" href=\"bug_relationship_delete.php?bug_id=$p_bug_id&rel_id=$p_relationship->id\">" . lang_get('delete_link') . '</a>]';
+				$t_relationship_info_html .= " [<a class=\"small\" href=\"javascript:deleteBug($p_bug_id, $p_relationship->id);\">" . lang_get('delete_link') . '</a>]';
 			}
 		}
 
@@ -698,8 +699,18 @@
 			}
 			$t_summary = '<table border="0" width="100%" cellpadding="0" cellspacing="1">' . $t_summary . '</table>';
 		}
+		
+		$t_form = '<form action="bug_relationship_delete.php" method="post" id="deleteBugForm" style="margin: 0px"></form>';
+		$t_script = '<script language="javascript">'."\n"
+			.'function deleteBug(bug_id, rel_id) {'."\n"
+			.'   var form = document.getElementById(\'deleteBugForm\');'."\n"
+			.'   form.action = form.action + \'?bug_id=\' + bug_id + \'&rel_id=\' + rel_id;'."\n"
+			.'   form.submit();'."\n"
+			.'}'."\n"
+			.'</script>';
+		
 
-		return $t_summary;
+		return $t_form.$t_script.$t_summary;
 	}
 
 	/**
relationship_delete.patch (1,665 bytes)   

Activities

giallu

giallu

2008-05-05 04:17

reporter   ~0017771

It was decided that commands performing database write operations should be converted to POST that's why helper_ensure_post was added.

przemek7bc

przemek7bc

2008-05-05 06:30

reporter   ~0017773

This patch converts the [Delete] so it calls deleteBug() function which is generated with relationship_get_summary_html.

vboctor

vboctor

2008-07-14 03:52

manager   ~0018488

  1. Isn't the helper_ensure_post() commented out in the latest code?
  2. Wouldn't it be simpler if we have a button (we can use class small) rather than a link + javascript?
giallu

giallu

2008-07-14 18:51

reporter   ~0018520

yes, latest code will not exhibit the problem due to the removal of ensure_post.

The underlying issue is still there, that is we need to move the operation to a POST form

vboctor

vboctor

2009-05-20 03:01

manager   ~0021857

This is no longer targeted for 1.2.x given that the deletion logic work. It becomes a lower priority cleanup fix to change the link to a button. It is important to note that even if the page is crawled, it is not an issue given that there is a confirmation page that requires a post.