Context Navigation

Modify ↓

#12592 closed defect (fixed)

Batch modify should require POST method

Reported by:	Jun Omae	Owned by:	Jun Omae
Priority:	normal	Milestone:	1.0.14
Component:	query system	Version:
Severity:	normal	Keywords:	batch-modify
Cc:		Branch:
Release Notes:	Batch modify requires POST method.
API Changes:
Internal Changes:

Description

Batch modify doesn't check whether HTTP method is POST. We should require POST.

trac/ticket/batch.py

diff --git a/trac/ticket/batch.py b/trac/ticket/batch.py
index 5fcedc4ef..464cd18af 100644

                from trac.ticket.notification import BatchTicketNotifyEmail
 from trac.util.datefmt import datetime_now, utc
 from trac.util.text import exception_to_unicode, to_unicode
 from trac.util.translation import _, tag_
 from trac.web.api import IRequestFilter, IRequestHandler
+from trac.web.api import IRequestFilter, IRequestHandler, HTTPBadRequest
 from trac.web.chrome import add_warning, add_script_data
-…
+               class BatchModifyModule(Component):
         return req.path_info == '/batchmodify'
     def process_request(self, req):
+        if req.method != 'POST':
+            raise HTTPBadRequest(_("Invalid request arguments."))
         req.perm.assert_permission('TICKET_BATCH_MODIFY')
         comment = req.args.get('batchmod_value_comment', '')

trac/ticket/tests/batch.py

diff --git a/trac/ticket/tests/batch.py b/trac/ticket/tests/batch.py
index c05cf765f..eff9daf0c 100644

                from trac.ticket import default_workflow, web_ui
 from trac.ticket.batch import BatchModifyModule
 from trac.ticket.model import Ticket
 from trac.util.datefmt import datetime_now, utc
+from trac.web.api import HTTPBadRequest, RequestDone
 from trac.web.chrome import web_context
-…
+               class BatchModifyTestCase(unittest.TestCase):
         selected_tickets = batch._get_selected_tickets(self.req)
         self.assertEqual(selected_tickets, [])
+    def test_require_post_method(self):
+        batch = BatchModifyModule(self.env)
+        req = MockRequest(self.env, method='GET', path_info='/batchmodify')
+        self.assertTrue(batch.match_request(req))
+        self.assertRaises(HTTPBadRequest, batch.process_request, req)
+        req = MockRequest(self.env, method='POST', path_info='/batchmodify',
+                          args={'selected_tickets': ''})
+        self.assertTrue(batch.match_request(req))
+        self.assertRaises(RequestDone, batch.process_request, req)
     # Assign list items
     def test_change_list_replace_empty_with_single(self):

Attachments (0)

Change History (2)

comment:1 by Jun Omae, 8 years ago

Component:	ticket system → query system
Owner:	set to Jun Omae
Status:	new → assigned

comment:2 by Jun Omae, 8 years ago

Release Notes:	modified (diff)
Resolution:	→ fixed
Status:	assigned → closed

Committed in [15160] and merged in [15161-15162].

Modify Ticket

Change Properties

Summary:
Description:	Batch modify doesn't check whether HTTP method is POST. We should require POST. {{{#!diff diff --git a/trac/ticket/batch.py b/trac/ticket/batch.py index 5fcedc4ef..464cd18af 100644 --- a/trac/ticket/batch.py +++ b/trac/ticket/batch.py @@ -28,7 +28,7 @@ from trac.ticket.notification import BatchTicketNotifyEmail from trac.util.datefmt import datetime_now, utc from trac.util.text import exception_to_unicode, to_unicode from trac.util.translation import _, tag_ -from trac.web.api import IRequestFilter, IRequestHandler +from trac.web.api import IRequestFilter, IRequestHandler, HTTPBadRequest from trac.web.chrome import add_warning, add_script_data @@ -53,6 +53,8 @@ class BatchModifyModule(Component): return req.path_info == '/batchmodify' def process_request(self, req): + if req.method != 'POST': + raise HTTPBadRequest(_("Invalid request arguments.")) req.perm.assert_permission('TICKET_BATCH_MODIFY') comment = req.args.get('batchmod_value_comment', '') diff --git a/trac/ticket/tests/batch.py b/trac/ticket/tests/batch.py index c05cf765f..eff9daf0c 100644 --- a/trac/ticket/tests/batch.py +++ b/trac/ticket/tests/batch.py @@ -23,6 +23,7 @@ from trac.ticket import default_workflow, web_ui from trac.ticket.batch import BatchModifyModule from trac.ticket.model import Ticket from trac.util.datefmt import datetime_now, utc +from trac.web.api import HTTPBadRequest, RequestDone from trac.web.chrome import web_context @@ -106,6 +107,16 @@ class BatchModifyTestCase(unittest.TestCase): selected_tickets = batch._get_selected_tickets(self.req) self.assertEqual(selected_tickets, []) + def test_require_post_method(self): + batch = BatchModifyModule(self.env) + req = MockRequest(self.env, method='GET', path_info='/batchmodify') + self.assertTrue(batch.match_request(req)) + self.assertRaises(HTTPBadRequest, batch.process_request, req) + req = MockRequest(self.env, method='POST', path_info='/batchmodify', + args={'selected_tickets': ''}) + self.assertTrue(batch.match_request(req)) + self.assertRaises(RequestDone, batch.process_request, req) + # Assign list items def test_change_list_replace_empty_with_single(self): }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	Batch modify requires POST method.
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jun Omae.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jun Omae to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: