Unable to delete client - Results in '#'

wrongecho

We really should move away from GET requests for destructive functions. They should be POST requests ideally.

johnny

A bsolutely I plan on removing most delete functionality from the code and keeping them as archive with the possibility to un-archive records.

wrongecho

johnny

I still think delete should be an option though, for compliance & security reasons.

johnny

Yeah especially for clients I can see what you mean, i will restore the option but make it with extra confirmation and only put the delete button in the client details and not in the client listing.

Bigbug

johnny

Hi, any updates on this?
I recently played around with the client/create api endpoint, finding my self with a lot of clients/leads named "Test123" … that i want to get rid of

Thanks

🙏

wrongecho

Hey @Bigbug

Unsure if you're referring to the API or Web app delete.

I've just testing deleting clients in the Web UI and it works fine. First, archive the client. Then filter the clients list for archived clients and delete the client.

Bigbug

wrongecho Thanks! it worked for me, it's a good thing that it's difficult to delete

But in my situation, how should i go about bulk delete?

Does the API have a DELETE endpoint for clients?

wrongecho

Bigbug

There's no delete API currently, it would be fairly easy to add though…just seems dangerous.

wrongecho

@Bigbug if you use phpMyAdmin you could set the client-archived-at date for all the clients, and then delete them using the UI?

How do you think we should handle API client deletes? Should we force archiving and then deletes, or just allow a straight delete - no take-backsies.

Bigbug

wrongecho i see that the way it works is with a token in the URL.
what i did is i used the same URL and just changed the client_id to the one i want to delete and.. viola!

I didn't have to archive first

although i used it as a feature… this might be a bug…..

should it allow to use a token twice? and not for the client it was setup for?

wrongecho

Bigbug

Ah great!

The token is for CSRF protection, essentially stops a random website fooling you into deleting clients by browsing to itflow.example.com/post.php?delete_client=1. I wouldn't really consider it a bug, you had to actively seek out the token, and it changes on each login.

We can probably adjust the delete logic to only delete the client where the status is already archived though. Do you think it's necessary?

hugo

wrongecho I like the idea, that delete only after archived.