[wp-testers] Deleting a draft in RC1 returns a 500 response
Travis Snoozy
ai2097 at users.sourceforge.net
Sat Sep 22 06:23:05 GMT 2007
On Sat, 22 Sep 2007 00:30:01 -0500, Alexander Concha
<alex at buayacorp.com> wrote:
> Travis Snoozy escribió:
> > Note that the response code (displayed in tamperdata) is a
> > 500/internal server error, which seems wrong. The only reason I
> > noticed this is that it broke some test automation I have, which
> > expects a 200 response (which all prior versions of WordPress give).
> >
> > Can anyone else reproduce this problem?
>
> I was able to reproduce it -- it's because wp_nonce_ays calls wp_die
> which sends a 500 status header (see
> http://trac.wordpress.org/changeset/6110#file0).
>
> To me, a 400 or 500 response is okay because an invalid nonce is an
> error.
The issue is that the Javascript "are you really, -really- sure?"
dialog didn't get shown (I assume it tacks another nonce onto the
querystring; I haven't looked). This isn't an error, insofar as the
user getting tricked into clicking an external link that nukes a page
(which is what the nonce is -supposed- to be used to prevent), but
rather it's an abuse of the nonce to force an "are you sure" screen.
This behavior is inconsistent, since you can delete a post just fine
with one click from the management page.
I'm not to thrilled with getting a 500 from an event that's totally
normal in regular usage when you have JS turned off (and even less
thrilled about changing my automation so that 500 is "okay" to have
come back). That said, a -real- nonce failure is an error, and I'll
concede that it does deserve a 500. So, I'd say that either separate
"are you sure" functionality should be put in here, or the offending
nonce removed. At this point in the game, I'd vote for the latter,
since the management page already has one-click delete.
--
Travis
More information about the wp-testers
mailing list