Closed (fixed)
Project:
Drupal core
Version:
7.x-dev
Component:
taxonomy.module
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
31 Jul 2007 at 03:01 UTC
Updated:
28 Feb 2008 at 18:44 UTC
Jump to comment: Most recent file
Comments
Comment #1
catchThese are the functions using $_GET or $_POST from taxonomy.admin.inc:
function taxonomy_admin_vocabulary_edit($vocabulary)
function taxonomy_admin_term_edit($tid)
taxonomy_overview_terms
Comment #2
catchtaxonomy_overview_terms is only using $_GET for paging, I assume that's fine.
However sure it shouldn't have comments like this in it:
// FIXME
Comment #3
wim leersStill not fixed.
Comment #4
HorsePunchKid commentedSomething like this? I just modeled it very closely on how the term code worked.
Comment #5
HorsePunchKid commentedSimpler patch with the same result; turns out
taxonomy_admin_vocabulary_editwas entirely unnecessary.Comment #6
pwolanin commentedHmm, I'm not sure what happens when you return a form from a _submit function - I don't think that's quite right.
Should probably be done more in the style of my fix for user module (even though that has a bit of tab ugliness going on)
Comment #7
pwolanin commentedoh, wait - I mis-read the patch code. Actually looks pretty good.
however, since removing function taxonomy_admin_vocabulary_edit($vocabulary) could be considered an API change, probably better to just leave it as a wrapper.
Comment #8
pwolanin commentedAlso, the code is a little fragile, since it relies on buttons on two different forms having the same name.
Here's a slightly modified version.
Comment #9
HorsePunchKid commentedI like that change to
t_v_confirm_delete(which could be applied to the term deletion form, too), but why keeptaxonomy_admin_vocabulary_editif all it does is calldrupal_get_form? I guess I felt removing that was in the spirit of "cleaning up menu usage".Hybrid patch attached; also a patch with the analogous change for term deletion. Both seem to work fine.
Comment #10
HorsePunchKid commentedIf you prefer #8, note that the
// Rebuildcomment intaxonomy_form_vocabulary_submitneedss/term/volcabulary. (That was a problem in my earlier patches, too.)Comment #11
pwolanin commented@HorsePunchKid - I'd happily support removing that function in HEAD, but for 6.x, I think removing a public function counts as an API change - for example, there may be contrib modules already ported that use it (doubtful, but possible).
Comment #12
pwolanin commentedcorrected code comment and swapped
$edit['vid']for$form_state['values']['vid']Comment #13
pwolanin commented@HorsePunchKid - also, fixing the id of the term deletion form might be a good idea, but open a separate issue for that.
Comment #14
bennybobw commentedTested on HEAD. Applies cleanly, code looks good. RTBC.
Comment #15
HorsePunchKid commentedThanks for the helpful info, pwolanin. Patch looks good!
Comment #16
gábor hojtsyWell, book, comment, poll, search, system, upload, user modules all use _POST instead of FAPI constructs, and there is no bug here as far as I understand, so let's our continue migration to cleaner FAPI code in Drupal 7.
Comment #17
pwolanin commented@Gabor - book module uses it in the context of the ahah method, not for a form per se.
Using POST for a deletion form does pose some risk of CSFR requests, though perhaps Heine can weigh in on the seriousness of it.
Comment #18
dries commentedCommitted to CVS HEAD. Thanks.
Comment #19
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.