Skip to content

fix(projects): use POST + CSRF for project delete on detail page#1597

Open
polybjorn wants to merge 1 commit into
InvoicePlane:developfrom
polybjorn:bugfix/projects-delete-csrf
Open

fix(projects): use POST + CSRF for project delete on detail page#1597
polybjorn wants to merge 1 commit into
InvoicePlane:developfrom
polybjorn:bugfix/projects-delete-csrf

Conversation

@polybjorn

@polybjorn polybjorn commented Jun 24, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown

The delete button on the project detail page (application/modules/projects/views/view.php) uses a GET <a> link. Base_Controller rejects any non-POST request whose URL contains "delete" with show_404() (the CSRF/prefetch guard), so deleting a project from its detail page returns a 404 instead of deleting it.

This converts the link to a POST form with _csrf_field(), matching the delete-hardening already applied elsewhere in the module (partial_projects_table.php, the projects list table). The list-table delete and all other deletes were already POST + CSRF; this detail-page link was the remaining GET link.

Test plan

  • Project detail page -> Delete -> confirm: project is deleted and redirects to the list (previously 404).
  • Projects list-table delete still works unchanged.

Summary by CodeRabbit

  • Bug Fixes
    • Improved the project delete action to use a safer form submission instead of a direct link.
    • Added protection against unauthorized requests and kept the confirmation prompt before deletion.

@polybjorn
fix(projects): use POST+CSRF for project delete on detail page
7051664 
The delete button on the project detail page used a GET <a> link, which
Base_Controller rejects with show_404() for any non-POST request whose
URL contains "delete" (CSRF/prefetch guard). Deleting a project from
its detail page therefore 404'd. Convert the link to a POST form with
_csrf_field(), matching the pattern already used in the projects list
table (partial_projects_table.php). Completes the delete-hardening
migration that missed this one link.
@polybjorn polybjorn marked this pull request as ready for review June 24, 2026 22:22
@InvoicePlane InvoicePlane deleted a comment from coderabbitai Bot Jun 25, 2026
@nielsdrost7

nielsdrost7 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Thanks, man!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@polybjorn @nielsdrost7