Edgewall Software
Modify

Opened 8 years ago

Closed 8 years ago

#12592 closed defect (fixed)

Batch modify should require POST method

Reported by: Jun Omae Owned by: Jun Omae
Priority: normal Milestone: 1.0.14
Component: query system Version:
Severity: normal Keywords: batch-modify
Cc: Branch:
Release Notes:

Batch modify requires POST method.

API Changes:
Internal Changes:

Description

Batch modify doesn't check whether HTTP method is POST. We should require POST.

  • trac/ticket/batch.py

    diff --git a/trac/ticket/batch.py b/trac/ticket/batch.py
    index 5fcedc4ef..464cd18af 100644
    a b from trac.ticket.notification import BatchTicketNotifyEmail  
    2828from trac.util.datefmt import datetime_now, utc
    2929from trac.util.text import exception_to_unicode, to_unicode
    3030from trac.util.translation import _, tag_
    31 from trac.web.api import IRequestFilter, IRequestHandler
     31from trac.web.api import IRequestFilter, IRequestHandler, HTTPBadRequest
    3232from trac.web.chrome import add_warning, add_script_data
    3333
    3434
    class BatchModifyModule(Component):  
    5353        return req.path_info == '/batchmodify'
    5454
    5555    def process_request(self, req):
     56        if req.method != 'POST':
     57            raise HTTPBadRequest(_("Invalid request arguments."))
    5658        req.perm.assert_permission('TICKET_BATCH_MODIFY')
    5759
    5860        comment = req.args.get('batchmod_value_comment', '')
  • trac/ticket/tests/batch.py

    diff --git a/trac/ticket/tests/batch.py b/trac/ticket/tests/batch.py
    index c05cf765f..eff9daf0c 100644
    a b from trac.ticket import default_workflow, web_ui  
    2323from trac.ticket.batch import BatchModifyModule
    2424from trac.ticket.model import Ticket
    2525from trac.util.datefmt import datetime_now, utc
     26from trac.web.api import HTTPBadRequest, RequestDone
    2627from trac.web.chrome import web_context
    2728
    2829
    class BatchModifyTestCase(unittest.TestCase):  
    106107        selected_tickets = batch._get_selected_tickets(self.req)
    107108        self.assertEqual(selected_tickets, [])
    108109
     110    def test_require_post_method(self):
     111        batch = BatchModifyModule(self.env)
     112        req = MockRequest(self.env, method='GET', path_info='/batchmodify')
     113        self.assertTrue(batch.match_request(req))
     114        self.assertRaises(HTTPBadRequest, batch.process_request, req)
     115        req = MockRequest(self.env, method='POST', path_info='/batchmodify',
     116                          args={'selected_tickets': ''})
     117        self.assertTrue(batch.match_request(req))
     118        self.assertRaises(RequestDone, batch.process_request, req)
     119
    109120    # Assign list items
    110121
    111122    def test_change_list_replace_empty_with_single(self):

Attachments (0)

Change History (2)

comment:1 by Jun Omae, 8 years ago

Component: ticket systemquery system
Owner: set to Jun Omae
Status: newassigned

comment:2 by Jun Omae, 8 years ago

Release Notes: modified (diff)
Resolution: fixed
Status: assignedclosed

Committed in [15160] and merged in [15161-15162].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jun Omae to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.