FilterAction handling doesn't respect HTTP method
Bug #931272 reported by
Paul McMillan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Medium
|
Gabriel Hurley |
Bug Description
Horizon's actions each have a specified allowed HTTP method (e.g. delete can only happen over POST, while filter is specified as a GET). Unfortunately, the checking which separates these seems to be broken. This can be tested by using any of the filters (syspanel has some). The filter string is posted, and the filter action happens, even though this should only be possible through GET.
Changed in horizon: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in horizon: | |
importance: | Low → High |
tags: | added: essex-rc-potential |
Changed in horizon: | |
milestone: | none → essex-rc1 |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | essex-rc1 → 2012.1 |
To post a comment you must log in.
Currently each DataTable is wrapped with a POST form:
<form action="{{ table.get_ absolute_ url }}" method="POST">{% csrf_token %}
The filter actions are rendered inside it, and .. it is almost impossible to be made as separate <form method="GET"> inside the parent form.
A javascript fix could be applied to allow URL modification for filters- something like https:/ /github. com/ttrifonov/ horizon/ commit/ 2fac62685b9f0fd bd299286754afc8 5732480e63
So, a question - should the POST be prohibited for Filters(or other types) ? In the case with javascript processing, a POST is a safe fall-back for non-js browsers..