OpenStack Dashboard (Horizon)

FilterAction handling doesn't respect HTTP method

Reported by Paul McMillan on 2012-02-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Medium
Gabriel Hurley

Bug Description

Horizon's actions each have a specified allowed HTTP method (e.g. delete can only happen over POST, while filter is specified as a GET). Unfortunately, the checking which separates these seems to be broken. This can be tested by using any of the filters (syspanel has some). The filter string is posted, and the filter action happens, even though this should only be possible through GET.

Tihomir Trifonov (ttrifonov) wrote :

Currently each DataTable is wrapped with a POST form:

<form action="{{ table.get_absolute_url }}" method="POST">{% csrf_token %}

The filter actions are rendered inside it, and .. it is almost impossible to be made as separate <form method="GET"> inside the parent form.

A javascript fix could be applied to allow URL modification for filters- something like https://github.com/ttrifonov/horizon/commit/2fac62685b9f0fdbd299286754afc85732480e63

So, a question - should the POST be prohibited for Filters(or other types) ? In the case with javascript processing, a POST is a safe fall-back for non-js browsers..

Devin Carlen (devcamcar) on 2012-02-20
Changed in horizon:
status: New → Confirmed
importance: Undecided → Low
Devin Carlen (devcamcar) on 2012-02-20
Changed in horizon:
importance: Low → High
Gabriel Hurley (gabriel-hurley) wrote :

Point 1: It's *only* actions which inherit from FilterAction that aren't checking the method. Everything else does. The code for filters just happens to be special-cased for various reasons. That doesn't excuse that code path not checking the action method, though.

Point 2: While search ought to be a GET request, for the sake of enforcing the method checking, it should be marked as a POST with a TODO to figure out how to fix that issue in the long run.

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
status: Confirmed → In Progress
importance: High → Medium
summary: - Horizon doesn't respect action methods
+ FilterAction handling doesn't respect HTTP method
Devin Carlen (devcamcar) on 2012-03-19
tags: added: essex-rc-potential
Changed in horizon:
milestone: none → essex-rc1

Reviewed: https://review.openstack.org/5497
Committed: http://github.com/openstack/horizon/commit/74dd2e9de790ad983af2034d0e56297bb6deaa98
Submitter: Jenkins
Branch: master

commit 74dd2e9de790ad983af2034d0e56297bb6deaa98
Author: Gabriel Hurley <email address hidden>
Date: Sun Mar 18 22:17:30 2012 -0700

    Filter action respects HTTP method. Fixes bug 931272.

    Change-Id: I1c292f741349a2e82a871432fbba0edd9d62044c

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-20
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in horizon:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers