Item4222: users may accidentally delete topic instead of attachment due to lost URL param

If you're trying to move an attachment as TWikiGuest TWiki (NatSkin) asks you to login.

Afterwards the ?attachment=myfile.doc parameter is lost. So instead of page based on moveattachment.nat.tmpl TWiki (NatSkin) loads a page that is based on renamebase.nat.tmpl.

Users who do not recognize this can accidentally move the entire topic to the trash web instead of just the attachment.

Here's a work around (requires SpreadSheetPlugin): in line 6 in attachtables.nat.tmpl change

<a href="%SCRIPTURLPATH{"attach"}%/%WEB%/%TOPIC%?filename=%A_FILE%&revInfo=1" title='%MAKETEXT{"manage properties of [_1]" args="<nop>%A_FILE%"}%' rel='nofollow'>%MAKETEXT{"props"}%</a>, <a href="%SCRIPTURLPATH{"rename"}%/%WEB%/%TOPIC%?attachment=%A_FILE%" title='%MAKETEXT{"move or delete [_1]" args="<nop>%A_FILE%"}%' rel='nofollow'>%MAKETEXT{"move"}%</a>

to

%CALC{$IF($EXACT(%WIKINAME%,TWikiGuest),<a href='%NATLOGINURL%' rel='nofollow' accesskey='l' title='TWiki Login'>login</a> required, <a href='%SCRIPTURLPATH{"attach"}%/%WEB%/%TOPIC%?filename=%A_FILE%&revInfo=1' title='%MAKETEXT{"manage properties of [_1]" args="<nop>%A_FILE%"}%' rel='nofollow'>%MAKETEXT{"props"}%</a>, <a href='%SCRIPTURLPATH{"rename"}%/%WEB%/%TOPIC%?attachment=%A_FILE%' title='%MAKETEXT{"move or delete [_1]" args="<nop>%A_FILE%"}%' rel='nofollow'>%MAKETEXT{"move"}%</a>)}%

-- TWiki:Main/CarloSchulz - 07 Jun 2007

Carlo, thanks a lot for catching this. However I will work around this issue by hiding the attachment actions if the current user has no access rights to the topic. This may also be the case if you are authenticated but forbidden by some ACLs. The tools to do this are in the IfDefinedPlugin, using the %IFACCESS tag...

-- TWiki:Main.MichaelDaum - 08 Jun 2007