View Issue Details

IDProjectCategoryView StatusLast Update
0009343mantisbtscriptingpublic2008-10-18 18:32
Reportergiallu Assigned Tojreese  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.2 
Target Version1.1.3Fixed in Version1.1.3 
Summary0009343: form security token prevents changing relationship while resolving bug
Description

Proof of concept...

  1. open 0009305
  2. click on "resolve"
  3. select "Duplicate" as resolution
  4. add 9309 as duplicate id
  5. submit
  6. confirm the relationship replacement
TagsNo tags attached.

Relationships

has duplicate 0009367 closedjreese Invalid form security token. Did you submit the form twice by accident? 

Activities

giallu

giallu

2008-07-04 09:47

reporter   ~0018304

the offending helper_ensure_confirmed call is in bug_api.php, in function bug_resolve()

giallu

giallu

2008-07-04 11:00

reporter   ~0018305

I'm wondering if it make sense at all to have an helper_ensure_confirmed call so deep in the api...

For instance, what happens if bug_resolve is called from the SOAP api?

jreese

jreese

2008-07-09 11:51

reporter   ~0018353

Fixed in 1.1.3, SVN r5399, and trunk, SVN r5398.

sveyret

sveyret

2008-07-16 08:50

reporter   ~0018583

I am not sure removing all confirmation dialog is a good idea as a correction…
There is the same incident when removing a custom field in project manager page.

  1. Add a custom field to a project.
  2. On project page, clic on remove for that custom field.
  3. Confirm removal.
giallu

giallu

2008-07-16 09:21

reporter   ~0018584

We are not removing all the confirmation dialogs. This particular call to the confirmation page was happening too deep in the API; of course there is nothing wrong with asking the user confirmation for an irreversible operation, but that check should happen in the page, not in the API.

That said, please open a new ticket for the custom field removal, it needs to be fixed as well.

Related Changesets

MantisBT: master 7ae4a0fa

2008-07-09 11:44

jreese


Details Diff
Fix 0009343: Remove confirmation message when resolving an issue as duplicate.
The confirmation message is IMO rather pointless, and as pointed out by Giallu, certainly should not be done from inside an API, which could disrupt use by SOAP, etc.
Will port to fix 1.1.x branch.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5398 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0000001, 0009343
mod - core/bug_api.php Diff File

MantisBT: master-1.1.x 56892f93

2008-07-09 11:49

jreese


Details Diff
Fix 0009343: Remove confirmation message when resolving an issue as duplicate.
The confirmation message is IMO rather pointless, and as pointed out by Giallu, certainly should not be done from inside an API, which could disrupt use by SOAP, etc.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5399 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0009343
mod - core/bug_api.php Diff File