View Issue Details

IDProjectCategoryView StatusLast Update
0030541mantisbtdocumentationpublic2022-06-24 04:05
ReporterTomekAP Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.13.0 
Target Version2.25.5Fixed in Version2.25.5 
Summary0030541: Impossibility of deleting attachment with form security validation turned on
Description
  1. Turn on form security validation
  2. Add file on the documentation page (proj_doc_page.php)
  3. Delete this file
  4. You receive 2800 - ERROR_FORM_TOKEN_INVALID
  5. The reason is: the link doesn`t contain token: /proj_doc_delete.php?file_id=12345, while the page requires it: form_security_validate( 'proj_doc_delete' );
TagsNo tags attached.

Activities

dregad

dregad

2022-06-11 05:13

developer   ~0066717

Regression introduced by MantisBT master 87ec8b45

dregad

dregad

2022-06-11 09:19

developer   ~0066719

PR https://github.com/mantisbt/mantisbt/pull/1824

dregad

dregad

2022-06-15 12:26

developer   ~0066751

@TomekAP testing and feedback on the proposed fix would be appreciated.

TomekAP

TomekAP

2022-06-15 16:22

reporter   ~0066752

@dregad works as expected, thank you

Related Changesets

MantisBT: master 87ec8b45

2018-02-12 13:00

dregad


Details Diff
<form> not allowed in <span> context

Use print_link_button() instead of print_form_button().

This allows keeping the <span>, which is used to float the buttons to
the right.
Affected Issues
0030541
mod - proj_doc_page.php Diff File

MantisBT: master-2.25 abafd6b4

2022-06-11 06:30

dregad


Details Diff
Use standard table layout for proj_doc_page.php

Previously the files were presented with a hybrid layout using floating
<span> blocks within a table cell. The Use of print_form_buttons()
within the span tag generated invalid HTML, a problem that was fixed in
87ec8b45bca75ade53150f1f4b669604b71a67ad but that commit introduced a
regression because the CSRF token was not passed on so it was no longer
possible to delete documents.

We now switch to a fully tabular layout, moving the data within the
spans (project, creation date, action buttons) to their own columns and
adjust the markup to align to standard MantisBT UI.

Fixes 0030541
Affected Issues
0030541
mod - proj_doc_page.php Diff File