johannaengland
commented
2 years ago Context from #220:
Safer to use a unique nonce than just a boolean force-argument.
How does that work?
It's what django uses the csrf-token for. It prevents replay-attacks and ensures you can't skip a step since every call to the endpoint without the nonce creates a new nonce.
Remaining question: A user clicks "Yes, delete anyway", should the notificationprofile that now has no filters also be deleted?
I think deletion of the full notification profile would be very surprising and upsetting to a user. As an alternative, the UI could be made to highlight profiles that are currently "useless", so the user knows which ones to amend. But the important part is the warning with a refusal to delete until a force argument is used.
A force-argument also needs changes to the UI, and would have to go in API version 2. So how should we fix this in a way that is compatible with version 1? Or should we leave it as is for version 1?
392 prevents deleting a filter if it is connected to any notification profiles. There should be a way to confirm with the user that it still should be deleted and then to force it.