WordPress.org

Make WordPress Core

Opened 6 weeks ago

Last modified 4 weeks ago

#44047 assigned defect (bug)

The link you followed has expired. - Export / Erasure admin screens

Reported by: xkon Owned by:
Milestone: 4.9.8 Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: gdpr needs-patch
Focuses: Cc:

Description

This happens to both Erasure & Export admin screens.

To reproduce:

  • Add a request and don't confirm the e-mail ( just for faster test )
  • Make a 'forced' export or erasure
  • Refresh the page so the Remove Request button gets activated
  • Press Remove Request
  • Add any e-mail without refreshing the page (I didn't use a different email on the preview but it happens with all)

Note: the new confirmation is actually sent & the email is working properly even though you get the The link you followed has expired.

@allendav any ideas or something that I might be missing on this one?

Attachments (2)

expired_link_issue.gif (410.5 KB) - added by xkon 6 weeks ago.
patch.diff (631 bytes) - added by saimonh 4 weeks ago.
Hello, I think we just can't simply reload the browser as there are some message to show. Meaning reloading the browser to fix the issue will prevent us to see the success message of what has been deleted or performed. So the best option I could think of is to remove the query args from the url using javascript. I've attached a patch please have a look. Regards

Download all attachments as: .zip

Change History (17)

#1 @subrataemfluence
6 weeks ago

I confirm that I could reproduce the issue by following the steps.

However

"Add any e-mail without refreshing the page...",

if I do it even after refreshing the page the message is still coming.

Not sure if I am right, but when I Remove request, the process page URL is like this:

/wp-admin/tools.php?page=export_personal_data&action=delete&request_id%5B0%5D=136&_wpnonce=cb4afd7f30

and after removal, the page stays only there.

After the removal is done the value for _w_http_referrer is

/wp-admin/tools.php?page=export_personal_data&action=delete&request_id%5B0%5D=136&_wpnonce=cb4afd7f30

which is reported expired since we have already removed that request.

But when I load the page by clicking Tools > Export personal data link, the referrer is /wp-admin/tools.php?page=export_personal_data.

To my understanding after deleting a request the page should redirect back to /wp-admin/tools.php?page=export_personal_data, so that no Expired Link is reported.

I may be wrong!

Last edited 6 weeks ago by subrataemfluence (previous) (diff)

#2 @birgire
6 weeks ago

Thanks for the ticket @xkon

I thought I noticed something similar while testing request deleting for another ticket yesterday (#44000), but I suspected this to be something specific to my modified test site, at the time :)

#3 @xkon
6 weeks ago

@birgire np at all, it isn't actually causing any issues or breaking any newly generated links, it's just an error message from the URL not being updated properly as @subrataemfluence mentions although I didn't check the code as well to dig deeper.

So maybe yes, a nice and easy solution would be that after a Remove Request we could just redirect to the tool page so the url is clean etc ( or remove any extra vars from it with js so the next action starts with a clean one(?) ).

#4 @iandunn
6 weeks ago

  • Component changed from General to Administration
  • Keywords gdpr needs-patch added
  • Milestone changed from Awaiting Review to 4.9.6
  • Owner set to iandunn
  • Status changed from new to accepted

This ticket was mentioned in Slack in #gdpr-compliance by danieltj. View the logs.


6 weeks ago

This ticket was mentioned in Slack in #core by desrosj. View the logs.


6 weeks ago

#7 @iandunn
6 weeks ago

  • Owner iandunn deleted
  • Status changed from accepted to assigned

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


6 weeks ago

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


6 weeks ago

#10 @desrosj
6 weeks ago

  • Milestone changed from 4.9.6 to 4.9.7

This still needs a patch. With RC2 in the next few hours, punting to 4.9.7.

#11 @desrosj
6 weeks ago

#44102 was marked as a duplicate.

#12 @desrosj
5 weeks ago

  • Component changed from Administration to Privacy

Moving to the new Privacy component.

#13 @desrosj
5 weeks ago

  • Version set to 4.9.6

Marking privacy bugs as introduced in 4.9.6.

#14 @desrosj
5 weeks ago

  • Milestone changed from 4.9.7 to 4.9.8

Moving all tickets in 4.9.7 to 4.9.8.

@saimonh
4 weeks ago

Hello, I think we just can't simply reload the browser as there are some message to show. Meaning reloading the browser to fix the issue will prevent us to see the success message of what has been deleted or performed. So the best option I could think of is to remove the query args from the url using javascript. I've attached a patch please have a look. Regards

#15 @birgire
4 weeks ago

There can be challenges using two or more forms, each with a different nonce, on the same page, when the nonce is added to the url as a GET parameter.

If ticket #43912 (Requests (new, pending, completed) should not be deletable) is the way to go, then this problem goes away :)

Ps: For non-javascript support, the core uses the message GET parameter, to be able to display the corresponding notice after the redirection. We can see this when a tag is deleted on the edit-tags.php screen when javascript is disabled. For example:

/wp-admin/edit-tags.php?taxonomy=category&message=2

that displays the Category deleted message.

Note: See TracTickets for help on using tickets.