Skip to content

Commit

Permalink
Use HTTP POST when deleting attachments
Browse files Browse the repository at this point in the history
This fixes deleting attachments on tomcat where HTTP DELETE (and PUT)
are disabled by default. Enabling them is also not possible because that
would allow users to delete attachments if they know the id of the
attachment on the file-system (for example with curl, by running
curl -X DELETE http://mamute.local/attachments/1).
  • Loading branch information
xdarklight committed Feb 6, 2016
1 parent 95a1b74 commit d785872
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 3 deletions.
3 changes: 2 additions & 1 deletion src/main/webapp/WEB-INF/jsp/coda.jspf
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,12 @@

<script type="text/javascript">
//UI flags (GLOBAL VARIABLES)
var Globals = {};
var Globals = {};
Globals.inHouseUploading = ${env.supports('feature.inhouse.upload')};
Globals.linkTo = {};
Globals.linkTo.uploadAttachment = "${linkTo[AttachmentController].uploadAttachment}";
Globals.linkTo.getAttachment = "${linkTo[AttachmentController].downloadAttachment}";
Globals.linkTo.deleteAttachment = "${linkTo[AttachmentController].deleteAttachment}";

var ANYONE_CAN_CREATE_TAGS = ${env.supports('feature.tags.add.anyone')};
var TAGS_SPLITTER_CHAR = "${env.get('tags.splitter.char')}";
Expand Down
5 changes: 3 additions & 2 deletions src/main/webapp/assets/js/fileuploader.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ if (Globals.inHouseUploading) {
link.css("pointer-events", "none");
var id = link.data("attachment-id");
$.ajax({
url: Globals.linkTo.getAttachment + id,
type: 'DELETE',
url: Globals.linkTo.deleteAttachment + id,
method: 'POST',
data: { _method: 'DELETE' },
success: function(result) {
$("#attachment-" + id).remove();
$("#input-attachment-" + id).remove();
Expand Down

0 comments on commit d785872

Please sign in to comment.