View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002601||HTML & PERL||Bug Report||public||2016-09-16 05:33||2016-10-12 23:17|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Fixed in Version||2016-11|
|Summary||0002601: It is possible to (attempt to) delete a tagreltb entry via URL hack|
|Description||Deleting a tagreltb entry is a surefire way to wreck havoc in the related tag. I don't know whether recreating the entry without database magic is even possible.|
It is possible, by hacking the URL, to issue a del creq on tagreltb entities. While that is highly unlikely, and the offending user would certainly be made an example of, it is not outside the realm of imagination that a half-asleep mod might end up granting such a creq by pressing the wrong button or something.
Please add a check that halts the action and throws an error if the user attempts to issue a del creq on that specific table.
Example of such a creq in action, and of its results: https://devint.anidb.net/c7913492
|Steps To Reproduce||https://devint.anidb.net/perl-bin/animedb.pl?show=creq&creq.delete=1&tb=tagreltb&id=XYZ|
Testing should obviously be done on devint only, owing to the destructive potential of this issue.
|Tags||No tags attached.|
Also note in that devint creq in the creq header block, it says tag system but links the tag itself.
Should be a field called tag that links the tag itself (type in this case), then another field tag system that quotes the tag system (character in this case).
Which is a completely different thing and you're just asking baka to yell at you. :P
I'll add a feature request for that.
||i don't see the issue. it creates a creq. if you grant that that is the mod's fault|
||Yes, and I'd like to not see it happen. But if you don't think the risk is enough to justify it, I can live with that.|
|2016-09-16 05:33||Hinoe||New Issue|
|2016-09-16 07:11||CDB-Man||Note Added: 0003845|
|2016-09-16 09:32||Hinoe||Note Added: 0003846|
|2016-09-29 15:43||DerIdiot||Note Added: 0003867|
|2016-09-29 18:25||Hinoe||Note Added: 0003868|
|2016-10-12 23:17||DerIdiot||Assigned To||=> DerIdiot|
|2016-10-12 23:17||DerIdiot||Status||new => resolved|
|2016-10-12 23:17||DerIdiot||Resolution||open => fixed|
|2016-10-12 23:17||DerIdiot||Fixed in Version||=> 2016-11|