This project is read-only.
1
Vote

Version Manager violates HTTP GET verb

description

The GET verb protocol should only get data and never modify or delete data. Calling GET twice in a row should always return the same result. Orchard violates this by allowing Edit and Delete through GET requests. For example (from IIS logs):
GET /Admin/Iroo.VersionManager/Delete/10251
GET /Admin/Iroo.VersionManager/UnsetPublishedVersion/10251
GET /Admin/Iroo.VersionManager/Undelete/10251

We made the unfortunate mistake of giving our search crawler edit access and everything in our site got deleted because the crawler found the delete URLs and executed them as a GET. The GET request should not have modified data, and if Version Manager had followed standard protocols, we may have had a lot of unfortunate content, but we at least would not have had our content wiped out.

I fixed your module by changing the action methods (Delete, Undelete, Publish, and Unpublish) to POST requests. Attached are the three modified files.

file attachments

comments