OpenStack Dashboard (Horizon)

FilterAction handling doesn't respect HTTP method

Bug #931272 reported by Paul McMillan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Gabriel Hurley
OpenStack Dashboard (Horizon) 2012.1 "essex"

Bug Description

Horizon's actions each have a specified allowed HTTP method (e.g. delete can only happen over POST, while filter is specified as a GET). Unfortunately, the checking which separates these seems to be broken. This can be tested by using any of the filters (syspanel has some). The filter string is posted, and the filter action happens, even though this should only be possible through GET.

Revision history for this message
Tihomir Trifonov (ttrifonov) wrote :

Currently each DataTable is wrapped with a POST form:

<form action="{{ table.get_absolute_url }}" method="POST">{% csrf_token %}

The filter actions are rendered inside it, and .. it is almost impossible to be made as separate <form method="GET"> inside the parent form.

A javascript fix could be applied to allow URL modification for filters- something like https://github.com/ttrifonov/horizon/commit/2fac62685b9f0fdbd299286754afc85732480e63

So, a question - should the POST be prohibited for Filters(or other types) ? In the case with javascript processing, a POST is a safe fall-back for non-js browsers..

Devin Carlen (devcamcar)
Changed in horizon:
status: New → Confirmed
importance: Undecided → Low
Devin Carlen (devcamcar)
Changed in horizon:
importance: Low → High
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

Point 1: It's *only* actions which inherit from FilterAction that aren't checking the method. Everything else does. The code for filters just happens to be special-cased for various reasons. That doesn't excuse that code path not checking the action method, though.

Point 2: While search ought to be a GET request, for the sake of enforcing the method checking, it should be marked as a POST with a TODO to figure out how to fix that issue in the long run.

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
status: Confirmed → In Progress
importance: High → Medium
summary: - Horizon doesn't respect action methods
+ FilterAction handling doesn't respect HTTP method
Devin Carlen (devcamcar)
tags: added: essex-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5497

Gabriel Hurley (gabriel-hurley)
Changed in horizon:
milestone: none → essex-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/5497
Committed: http://github.com/openstack/horizon/commit/74dd2e9de790ad983af2034d0e56297bb6deaa98
Submitter: Jenkins
Branch: master

commit 74dd2e9de790ad983af2034d0e56297bb6deaa98
Author: Gabriel Hurley <email address hidden>
Date: Sun Mar 18 22:17:30 2012 -0700

    Filter action respects HTTP method. Fixes bug 931272.

    Change-Id: I1c292f741349a2e82a871432fbba0edd9d62044c

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.