0005632: Why "Edit", "Delete" and "Make private" links are replaced with buttons? - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0005632	mantisbt	bugtracker	public	2005-05-22 23:17	2005-05-31 11:23

Reporter	astax	Assigned To	ryandesign
Priority	normal	Severity	tweak	Reproducibility	always
Status	closed	Resolution	no change required

Summary	0005632: Why "Edit", "Delete" and "Make private" links are replaced with buttons?
Description	Why those nice tiny links to "Edit", "Delete" and "Make private" for bugnotes are replaced with ugly large buttons? (Actually not only these links, but some other too). I see in history that it was a fix for 0005606, but the links in that issue exactly specify another much better way for fixing the problem with Google Web Accelerator. Moreover that Accelerator is now fixed, as I understood, and won't repeat this problem.
Tags	No tags attached.

ryandesign 2005-05-23 05:24 reporter ~0010191	Collective security wisdom and Internet RFC recommendations state that a form using the GET method, or links with GET parameters, must only be used for things that have no side-effects: viewing a bug report, for example, or searching for one. But if the action is to delete something or to edit it in any way, then the action should only be reachable via a form using the POST method. The Google Web Accelerator brought this issue to the forefront recently, but the recommendation is sound in all contexts. (Read up on "CSRF" (Cross-Site Request Forgery) attacks for more on this.) While clicking a bugnote's "Edit" link did not immediately edit data, it was probably changed to a button to match visually with the "Delete" and "Make Private" buttons, which, since they do change data, must be buttons.