Monica: trying to delete life event deletes contact

Created on 10 Feb 2019 · 2Comments · Source: monicahq/monica

Describe the bug
how to reproduce: open contact page, open live events. Click "delete". In the Pop up that opens, click the green "Delete" Button. Nothing seems to happen. Reload the page or click cancel and reload the page.

Screenshots

After Reload:

Which version are you using:

Hosting version on https://app.monicahq.com

bug

Source

theweekendgeek

Most helpful comment

I've just tested my proposed resolution by editing the network traffic using a debugging proxy (I haven't changed the code, yet) and it no longer deletes the contact. However, it doesn't actually delete the life event. New flow is:

User clicks 'Delete'
Browser issues DELETE /lifeevents/559 HTTP/1.1
Server replies HTTP/1.1 303 See Other, Location: https://app.monicahq.com/people/h:YJaPqMeZRbEg3Z1o8yVd
Browser issues GET /people/h:YJaPqMeZRbEg3Z1o8yVd HTTP/1.1. Server replies HTTP/1.1 200 OK. Browser displays friendly 'life event deleted successfully' toast notification message.
Browser issues GET /people/h:YJaPqMeZRbEg3Z1o8yVd/lifeevents HTTP/1.1.
Server replies HTTP/1.1 200 OK with body:
[{"id":559,"life_event_type":"New vehicle","default_life_event_type_key":"new_vehicle","name":"Test issue 2415 fix","note":null,"happened_at":"Feb 20, 2019"}]

I refreshed the page after a couple of minutes and the life event is still there. So this may be a deeper issue than first thought.

mechanarchy on 20 Feb 2019

👍2

All 2 comments

I've tried this myself on the hosted version and can confirm that the user is deleted. I've gone through the steps myself and it looks like the reason this occurs is because of the HTTP DELETE method used and the server's Location header response. This might mean it's browser-specific; I am using Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.110 Safari/537.36 Vivaldi/2.3.1440.48.

Sequence of events

User clicks 'Delete'
Browser issues request DELETE /lifeevents/558 HTTP/1.1
Server deletes the life event. The body of the response indicates the life event was deleted as desired. However, the server also tries to redirect the browser back to the contact page, by replying with HTTP/1.1 302 Found and Location: https://app.monicahq.com/people/h:WyO7q8QXM1ygdXVKGnR9.
At this point, the bug happens.
Browser then redirects as requested, but issues a DELETE request instead of a GET request: DELETE /people/h:WyO7q8QXM1ygdXVKGnR9 HTTP/1.1. This causes the contact record to be deleted as well.
Server replies with HTTP/1.1 302 Found and Location: https://app.monicahq.com/people.
Browser redirects again using the same 'bug' characteristics: DELETE /people HTTP/1.1
Server replies that you can't delete the entire people endpoint: HTTP/1.1 405 Method Not Allowed.

Some further research indicates that the HTTP response code 303 See Other should be used to unambiguously tell the browser to redirect and use the GET method instead of any other. This should fix the issue.

Resolution summary

Server should reply with 303 See Other instead of 302 Found for any DELETE requests.

mechanarchy on 19 Feb 2019

User clicks 'Delete'
Browser issues DELETE /lifeevents/559 HTTP/1.1
Server replies HTTP/1.1 303 See Other, Location: https://app.monicahq.com/people/h:YJaPqMeZRbEg3Z1o8yVd
Browser issues GET /people/h:YJaPqMeZRbEg3Z1o8yVd HTTP/1.1. Server replies HTTP/1.1 200 OK. Browser displays friendly 'life event deleted successfully' toast notification message.
Browser issues GET /people/h:YJaPqMeZRbEg3Z1o8yVd/lifeevents HTTP/1.1.
Server replies HTTP/1.1 200 OK with body:
[{"id":559,"life_event_type":"New vehicle","default_life_event_type_key":"new_vehicle","name":"Test issue 2415 fix","note":null,"happened_at":"Feb 20, 2019"}]