When working in a technical role, many employers promote non-technical people into management, which can backfire.

What would you do if you were designing a website and your boss made you write it up with a massive security risk built in, even after you showed it to her?

That is what happened to the developer in this story, so he did as he was told and then pointed out the mistake to the testing group so they could reject it and embarrass his boss.

Just do it the way I said

I worked for a government agency that provided a service to the public through a website.

This seems like a pretty standard process.

I was working on a part of the website that confirmed whether or not users wished to delete their user accounts.

As usual, to protect against accidental (or malicious) account deletion the user has to click “Delete my account”, they are then shown a screen “are you sure you wish to delete your account?”, and if they click “Yes” then their browser goes off and tells the server to delete their account (and withdraw from all jobs they’ve applied for).

This next bit is a tiny bit technical for those who are interested.

1. When you go somewhere in your browser it sends a GET request to the server because it wants to get the page contents + image contents etc.
2. When you submit a form (such as signing in, or confirming you wish to delete your account) your browser sends a POST request to the server.

What a great explanation of how it works.

A POST means the server is going to change something (such as deleting your account) whereas a GET merely means “give me something but don’t make any changes”. When you click a link in a browser (e.g. from Twitter), your browser will only ever do a GET, it will *never* a POST. This is why confirming you want to delete your account should be a POST, so nobody can trick you into visiting a link and doing some harm.

So, back to the story….

Why do they always seem to put people like this into management?

The project manager was really rubbish at her job, she wasn’t technical at all. Another member of staff used to “assist” her, which basically involved him doing all of her work and her asking him how he did it but never seeming to remember.

I was making some modifications to the site in this area when I spotted the requirement was to have the Delete Account Confirmation page as a GET.

I would imagine this is an important change that needs to be made.

I pointed out to her that I could easily send her a link in an email and if she clicked it then it would delete her account on the server and withdraw her from all her job applications – and that we should change the requirement to make it a POST.

To hide her inadequacies she would often shout people down, and that’s exactly what she did. Told me just to do what I am supposed to be doing rather than trying to change the requirements at this late stage and delay the release.

Always document this type of thing.

The problem is, from experience I knew that she often makes uneducated decisions and then when they backfire she either genuinely doesn’t remember them or lies. So, I went back to my computer and I wrote to her.

Paraphrased “Can you confirm something for me? The specification says to make the Delete Account Confirmation screen a GET request. It really should be a POST because it deletes users’ accounts. I am concerned a malicious person could post a link on Twitter and everyone who follows it will have their account deleted and all their job applications cancelled. I just want to make sure I have understood you properly and I am not being thick. You said you want it to remain a GET request rather than changing it to the more secure POST request, is that right?”

Ok, he has it in writing.

She replied “Yes, as it is in the specification”.

So, I went and implemented it as instructed.

Hey, this should be safe if it were done right.

Once the changes had been deployed to our internal test servers, I emailed the head of the Quality Assurance team.

“Hi Lead-QA Have you seen this cool job on the server?” with a link to…can you guess? That’s right, the “Delete Account Confirmation” page.

And he immediately sees the problem.

He received the email, opened it up, then clicked the link text that said “this cool job”. A browser opened, took him to the test server, and he was greeted with a message telling him how sorry we were to see him go, and that all his job applications have been withdrawn as requested.

Lead-QA: Whaaaat? Where have all my test job applications gone?

(Typing frantically)

I bet he was upset.

Lead-QA: They’ve actually gone! Is this a trick? Are they REALLY deleted?

He couldn’t believe what he was seeing. He asked how I had “hacked” the system, and I explained to him the rookie error that had been made. He logged a top priority critical security fault and rejected the release candidate, delaying the release until it was fixed and could be re-tested the next day.

If she doesn’t know, she is more of an idiot than I thought.

When she saw the bug that had been logged, the project manager went mad. “Who wrote this?” she demanded to know, loudly, in front of the whole office.

“I did,” I said.

Wow, he clearly brought it up to her.

“Why on earth would you make it so other people can so easily trick you into deleting your account?”

I walked over to her, so I could speak quietly and not embarrass her. “I did warn this would be possible, but you insisted this is the way you wanted it”.

Dishonest and stupid is a dangerous combination.

Now this is the point where she always claims she would never do something stupid. “No, I said the opposite”.

Me: No, you definitely said to do it this way.

She is digging herself into a bigger problem.

Her: No, you’ve misunderstood. This way makes no sense, I would never have told you to do something that makes no sense!

My experience was that she often told me to do things that made no sense, and then when they backfired she would say she couldn’t possibly have said to do something so nonsensical and the fault must lie with someone else.

Her: I suggest you go back and do it properly.

But he has proof.

I went back to my computer, pulled up the text conversation, and called her over.

Me: Look, this is where I explicitly asked if you want me to do it as a GET as per the specification, and what will be possible if we don’t change it to a POST, and you told me to do it according to the specification”.

Oh, now she wants to be quiet.

Her: (Quietly) Well, just change it.

Me: I will. I will do it properly.

Not the end of the world.

The release was delayed for a day so it could go through testing again.

Note: Testers wipe the server clean for each test round and rebuild the data through scripts, so I didn’t upset the Lead QA guy…much 🙂

Honestly, it is disappointing that the boss didn’t get in any trouble or anything. She should not be in this type of technical role.

Let’s see what the people in the comments have to say about it.

People who are like this are the worst.

It would have been satisfying, but he does have to work for her.

Yup, this was a huge warning.

Yes, always document everything.

Some managers just have to give ‘advice’ even if it isn’t helpful.

Why doesn’t management listen to the subject matter experts?

If you liked that story, check out this post about an oblivious CEO who tells a web developer to “act his wage”… and it results in 30% of the workforce being laid off.