Revert multiple tokens for attachement delete links

Revert the logic introduced by fix for Issue #20142, in which one single form security token is used for all action links. The side effect is that only one of those actions can be performed from the specific originating page. This is especially a drawback when the actions are links that can be open in new browsers tabs. Reverting to separate tokens allows to perform all the actions without having to reload the originating page. Note, the original performance issue was solved at the session layer with 8092c3d. Fixes: #21610
mantisbt · Aug 26, 2016 · f160663 · f160663
1 parent 694873e
commit f160663
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/core/print_api.php b/core/print_api.php
@@ -1830,11 +1830,10 @@ function get_dropdown( array $p_control_array, $p_control_name, $p_match = '', $
  */
 function print_bug_attachments_list( $p_bug_id ) {
 	$t_attachments = file_get_visible_attachments( $p_bug_id );
-	$t_security_token = form_security_token( 'bug_file_delete' );
 	echo "\n<ul>";
 	foreach ( $t_attachments as $t_attachment ) {
 		echo "\n<li>";
-		print_bug_attachment( $t_attachment, $t_security_token );
+		print_bug_attachment( $t_attachment );
 		echo "\n</li>";
 	}
 	echo "\n</ul>";
@@ -1862,6 +1861,10 @@ function print_bug_attachment( array $p_attachment, $p_security_token = null ) {
 		$g_collapse_cache_token[$t_collapse_id] = false;
 		collapse_open( $t_collapse_id );
 	}
+	# The same token is used for both links in the collapse section
+	if( null === $p_security_token ) {
+		$p_security_token = form_security_token( 'bug_file_delete' );
+	}
 	print_bug_attachment_header( $p_attachment, $p_security_token );
 	if( $t_show_attachment_preview ) {
 		echo lang_get( 'word_separator' );