On 26/10/11 08:36, William Grant wrote:
> 37 + @property
> 38 + def confirmation_message(self):
> 39 + return ('<p>You are about to mark bug %s<br>'
> 40 + 'as no longer affecting %s.</p>'
> 41 + '<p>This operation will be permanent and cannot be '
> 42 + 'undone.</p>'
> 43 + % (self.context.bug.title,
> 44 + self.context.target.bugtargetdisplayname))
>
> As Curtis says, this is a security hole. Why is this not done in the template? Also, the operation is not permanent -- it can be undone, by readding the task.
I'm fixing the hole.
The message is worded as per the bug report. I think the indent is that
in general, deletion is a serious decision and the user must be sure.
On 26/10/11 08:36, William Grant wrote: message( self): bug.title, target. bugtargetdispla yname))
> 37 + @property
> 38 + def confirmation_
> 39 + return ('<p>You are about to mark bug %s<br>'
> 40 + 'as no longer affecting %s.</p>'
> 41 + '<p>This operation will be permanent and cannot be '
> 42 + 'undone.</p>'
> 43 + % (self.context.
> 44 + self.context.
>
> As Curtis says, this is a security hole. Why is this not done in the template? Also, the operation is not permanent -- it can be undone, by readding the task.
I'm fixing the hole.
The message is worded as per the bug report. I think the indent is that
in general, deletion is a serious decision and the user must be sure.