continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brent N Atkinson (JIRA)" <j...@codehaus.org>
Subject [jira] (CONTINUUM-2665) Incorrect purge description is displayed in delete confirmation.
Date Tue, 24 Mar 2015 20:59:18 GMT

    [ https://jira.codehaus.org/browse/CONTINUUM-2665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=365634#comment-365634
] 

Brent N Atkinson commented on CONTINUUM-2665:
---------------------------------------------

I have a fix for the behavior reported, but the actual issue's scope is larger. 

This behavior will occur for all pages that overload a single token with different form parameters
and use {{TokenSessionStoreInterceptor}}. The reason is that once a request is submitted and
a result is rendered and stored in the user's session for the token, any request using the
same token will yield the original result. This, in combination with the fact that history.back()
is consistently used throughout the application increases the likelihood that users will encounter
the scenario: since the browser is not issuing new requests, new tokens are not generated
after canceling.

To solve this problem, we could:

1.) Generate unique tokens for every unique request

This has the advantage that it will work as a user expects regardless of whether they click
cancel or hit the browser's back button. The disadvantage is that the number of tokens generated
for a page will be proportional to the number of requests requiring CSRF protection. Also,
since the request results are possible stored the amount of information stored in the session
could be considerable.

2.) Change the cancel buttons so they force a page request rather than using browser history

This has the advantage of not requiring more than a single token in the user's session for
a given request. The disadvantage is that users will still experience the issue when using
the browser's back button, since it will used cached tokens as with history.back().



> Incorrect purge description is displayed in delete confirmation.
> ----------------------------------------------------------------
>
>                 Key: CONTINUUM-2665
>                 URL: https://jira.codehaus.org/browse/CONTINUUM-2665
>             Project: Continuum
>          Issue Type: Bug
>          Components: Web - UI
>    Affects Versions: 1.4.1
>            Reporter: Greg Michael Meneses
>            Assignee: Brent N Atkinson
>            Priority: Minor
>              Labels: triaged
>
> To replicate:
> 1) Create 2 purge configurations with distinct descriptions.
> 2) Click delete button for purge 1
> Are you sure you want to delete Purge Configuration "<purge 1 description>" ?
> 3) Click cancel
> 4) Click delete button for purge 2
> Error: Are you sure you want to delete Purge Configuration "<purge 1 description>"
? is displayed
> Expected Result: Are you sure you want to delete Purge Configuration "<purge 2 description>"
? is displayed



--
This message was sent by Atlassian JIRA
(v6.1.6#6162)

Mime
View raw message