Make seeding new release easier

Anakunda · April 20, 2023, 3:36pm

Hello, what’s the proper procedure to use seeding new release if I want to open the addition page in new browser window?
I find it complicated posting prefill values by POST method, this requires emulating the form on current page.
It would be more convenient to allow all values listed at
https://musicbrainz.org/doc/Development/Release_Editor_Seeding
to be passed by GET method, ie. together with the endpoint address.
There seems to be only value recognized (release-group).

derat · April 20, 2023, 7:44pm

POST was the only way that I could find to do this, unfortunately – I assume that there’s some historical reason why /release is different from the other forms (which can be seeded with GET).

To open the page in a new tab, I ended up doing something like the following (paraphrased, so there may be typos):

const form = document.createElement('form');
form.action = 'https://musicbrainz.org/release/add';
form.method = 'post';
form.target = '_blank';
for (const p of params) {
  const input = document.createElement('input');
  form.appendChild(input);
  input.type = 'hidden';
  input.name = p.name;
  input.value = p.value;
}
  
const link = document.createElement('a');
link.target = '_blank';
link.addEventListener('click', (e) => {
  form.submit();
  e.preventDefault();
});

So yeah, just building and submitting a form in code.

The other downside of GET being unsupported is that you always need to click through MusicBrainz’s CSRF interstitial prompt when using POST.

jesus2099 · April 20, 2023, 8:33pm

I’ve hit the get URL length limitation already with a work importer.
So it would be impossible for a whole release to use get.

Anakunda · April 20, 2023, 9:03pm

Yep the virtual form and target=_blank does the job, though I still think nothing will break with GET and chained url params (I’m not going to seed complete release with tracklist, recordings etc., just basic album parameters so no concerns to length). The posted method moreover introduces additional unnecessary step of confirming the request.
Anyway the virtual form is sufficient.

atj · April 21, 2023, 2:43pm

The “Confirm Form Submission” step was added in order to prevent malicious websites from being able to submit edits as users without their knowledge (see MBS-11092). So it’s not “unnecessary”.