View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009343 | mantisbt | scripting | public | 2008-07-04 09:47 | 2008-10-18 18:32 |
Reporter | giallu | Assigned To | jreese | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.2 | ||||
Target Version | 1.1.3 | Fixed in Version | 1.1.3 | ||
Summary | 0009343: form security token prevents changing relationship while resolving bug | ||||
Description | Proof of concept...
| ||||
Tags | No tags attached. | ||||
the offending helper_ensure_confirmed call is in bug_api.php, in function bug_resolve() |
|
I'm wondering if it make sense at all to have an helper_ensure_confirmed call so deep in the api... For instance, what happens if bug_resolve is called from the SOAP api? |
|
Fixed in 1.1.3, SVN r5399, and trunk, SVN r5398. |
|
I am not sure removing all confirmation dialog is a good idea as a correction…
|
|
We are not removing all the confirmation dialogs. This particular call to the confirmation page was happening too deep in the API; of course there is nothing wrong with asking the user confirmation for an irreversible operation, but that check should happen in the page, not in the API. That said, please open a new ticket for the custom field removal, it needs to be fixed as well. |
|
MantisBT: master 7ae4a0fa 2008-07-09 11:44 Details Diff |
Fix 0009343: Remove confirmation message when resolving an issue as duplicate. The confirmation message is IMO rather pointless, and as pointed out by Giallu, certainly should not be done from inside an API, which could disrupt use by SOAP, etc. Will port to fix 1.1.x branch. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5398 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0000001, 0009343 |
|
mod - core/bug_api.php | Diff File | ||
MantisBT: master-1.1.x 56892f93 2008-07-09 11:49 Details Diff |
Fix 0009343: Remove confirmation message when resolving an issue as duplicate. The confirmation message is IMO rather pointless, and as pointed out by Giallu, certainly should not be done from inside an API, which could disrupt use by SOAP, etc. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5399 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0009343 |
|
mod - core/bug_api.php | Diff File |