Closed prioux closed 1 year ago
Solution: completely disable submit on Enter/Return
in these little search boxes, the return key is not supposed to do anything.
The Rails server logfile show the request that was sent:
Processing by TasksController#update_multiple as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "cbrain_task"=>{"group_id"=>"", "results_data_provider_id"=>"27", "tool_config_id"=>""}, "commit"=>"Update", "dup_bourreau_id"=>"21", "archive
_dp_id"=>"", "per_page"=>"25", "update_group_id"=>"1"}
temporary withdrow
Fixed by #1307
A POST to a controller is performed when it shouldn't happen.
To reproduce:
1) Go the an index page such as
/tasks
2) Click on the small magnifying glass for one of the columns (e.g. the Task Type column) 3) Enter dummy text in the search box for the column (e.g. 'blah') 4) Hit returnIn the case of the
/tasks
page, a request is posted toTasksController#update_multiple
using the first hijacker submit button in the 'Update Attributes' button/menu.See screenshots: