-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move up/down endpoints should use POST requests #51
Comments
Just a question -- why? |
Because GET requests should not, by definition, change state. |
The keyword to search for is CSRF. |
Fair enough -- so does anyone plan to give the author a pull req? |
There are a few practical problems:
I still think it's important though, it's not secure now, one can easily manipulate order through a simple CSRF url posted somewhere. |
…to prevent CSRF vulnerability; needed a bit of voodoo for thread-safety but it's all documented in comments; note the downsides in issue django-ordered-model#51, which are real, but I feel less severe than security vulnerability
I think this was fixed? |
Oh, not yet. |
Might be possible to make the up/down links all submit the main form (rather than a nested form, or random get request) with different actions for each button. Would allow dropping all the custom url generation as it would all go via. the existing page change handler, with some magic in the Form generation to recover the action and emit an event or similar to update the model. I'm not nearly enough of a django hacker to get it working though. |
I've been looking at what https://github.com/django-mptt/django-mptt/blob/master/mptt/admin.py#L147 Client-side, the result from the Ajax call is ignored, and jQuery simply reloads the current page to show the new ordering: https://github.com/django-mptt/django-mptt/blob/master/mptt/static/mptt/draggable-admin.js#L223 This seems a neat solution. We would need to add inheritance to any changelist page that includes an OrderedTabularInline (replacing the url extending code we have at the moment). |
@shuckc I take it you mean this? https://caniuse.com/#feat=form-submit-attributes Because as far as I see it, there is no need to do away with the existing Of course, it would be nice if the I'm prepared to do this if it's considered a worthwhile change. |
Currently the move up/down endpoints allow GET requests to change state. They should be POST requests.
The text was updated successfully, but these errors were encountered: