From 1b6dc94baefc002c24f20413396cc54ead13e72e Mon Sep 17 00:00:00 2001
From: jokob-sk <jokob.sk@gmail.com>
Date: Thu, 5 Feb 2026 11:57:37 +1100
Subject: [PATCH] Deleting Plugin Objects was not possible #1486

Signed-off-by: jokob-sk <jokob.sk@gmail.com>
---
 front/pluginsCore.php                 | 11 +++++++----
 server/api_server/api_server_start.py | 22 +++++++++++++++-------
 server/api_server/dbquery_endpoint.py | 10 ++++++----
 server/api_server/openapi/schemas.py  |  2 +-
 4 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/front/pluginsCore.php b/front/pluginsCore.php
index 4a6a3897..63675993 100755
--- a/front/pluginsCore.php
+++ b/front/pluginsCore.php
@@ -572,7 +572,7 @@ function purgeAllExecute() {
     data: JSON.stringify({
       dbtable: dbTable,
       columnName: 'Plugin',
-      id: plugPrefix
+      id: [plugPrefix]
     }),
     contentType: "application/json",
     success: function(response, textStatus) {
@@ -603,15 +603,18 @@ function deleteListed(plugPrefixArg, dbTableArg) {
 
   // Ask for confirmation
   showModalWarning(`${getString('Gen_Purge')} ${plugPrefix} ${dbTable}`, `${getString('Gen_AreYouSure')} (${idArr.length})`,
-    `${getString('Gen_Cancel')}`, `${getString('Gen_Okay')}`, "deleteListedExecute");
+    `${getString('Gen_Cancel')}`, `${getString('Gen_Okay')}`,  () => deleteListedExecute(idArr));
 }
 
 // --------------------------------------------------------
-function deleteListedExecute() {
+function deleteListedExecute(idArr) {
   const apiBase = getApiBase();
   const apiToken = getSetting("API_TOKEN");
   const url = `${apiBase}/dbquery/delete`;
 
+  console.log(idArr);
+
+
   $.ajax({
     method: "POST",
     url: url,
@@ -619,7 +622,7 @@ function deleteListedExecute() {
     data: JSON.stringify({
       dbtable: dbTable,
       columnName: 'Index',
-      id: idArr.toString()
+      id: idArr
     }),
     contentType: "application/json",
     success: function(response, textStatus) {
diff --git a/server/api_server/api_server_start.py b/server/api_server/api_server_start.py
index c2108be5..9ace8a78 100755
--- a/server/api_server/api_server_start.py
+++ b/server/api_server/api_server_start.py
@@ -1287,14 +1287,22 @@ def dbquery_update(payload=None):
 def dbquery_delete(payload=None):
     data = request.get_json() or {}
     required = ["columnName", "id", "dbtable"]
-    if not all(data.get(k) for k in required):
-        return jsonify({"success": False, "message": "ERROR: Missing parameters", "error": "Missing required 'columnName', 'id', or 'dbtable' query parameter"}), 400
+    if not all(k in data and data[k] for k in required):
+        return jsonify({
+            "success": False,
+            "message": "ERROR: Missing parameters",
+            "error": "Missing required 'columnName', 'id', or 'dbtable' query parameter"
+        }), 400
 
-    return delete_query(
-        column_name=data["columnName"],
-        ids=data["id"],
-        dbtable=data["dbtable"],
-    )
+    dbtable = data["dbtable"]
+    column_name = data["columnName"]
+    ids = data["id"]
+
+    # Ensure ids is a list
+    if not isinstance(ids, list):
+        ids = [ids]
+
+    return delete_query(column_name, ids, dbtable)
 
 
 # --------------------------
diff --git a/server/api_server/dbquery_endpoint.py b/server/api_server/dbquery_endpoint.py
index 6d5f6b39..2cc9e6e5 100755
--- a/server/api_server/dbquery_endpoint.py
+++ b/server/api_server/dbquery_endpoint.py
@@ -11,6 +11,7 @@ INSTALL_PATH = os.getenv("NETALERTX_APP", "/app")
 sys.path.extend([f"{INSTALL_PATH}/front/plugins", f"{INSTALL_PATH}/server"])
 
 from database import get_temp_db_connection  # noqa: E402 [flake8 lint suppression]
+from logger import mylog  # noqa: E402 [flake8 lint suppression]
 
 
 def read_query(raw_sql_b64):
@@ -82,17 +83,18 @@ def delete_query(column_name, ids, dbtable):
         conn = get_temp_db_connection()
         cur = conn.cursor()
 
-        if not isinstance(ids, list):
-            ids = [ids]
-
         deleted_count = 0
         for id_val in ids:
-            sql = f"DELETE FROM {dbtable} WHERE {column_name} = ?"
+            # Wrap table and column in quotes to handle reserved words
+            sql = f'DELETE FROM "{dbtable}" WHERE "{column_name}" = ?'
+            mylog("debug", f"[delete_query] sql {sql} with id={id_val}")
             cur.execute(sql, (id_val,))
             deleted_count += cur.rowcount
 
         conn.commit()
         conn.close()
         return jsonify({"success": True, "deleted_count": deleted_count})
+
     except Exception as e:
         return jsonify({"success": False, "error": str(e)}), 400
+
diff --git a/server/api_server/openapi/schemas.py b/server/api_server/openapi/schemas.py
index fc98ceec..0501b2b1 100644
--- a/server/api_server/openapi/schemas.py
+++ b/server/api_server/openapi/schemas.py
@@ -44,7 +44,7 @@ ALLOWED_NMAP_MODES = Literal[
 
 NOTIFICATION_LEVELS = Literal["info", "warning", "error", "alert", "interrupt"]
 
-ALLOWED_TABLES = Literal["Devices", "Events", "Sessions", "Settings", "CurrentScan", "Online_History", "Plugins_Objects"]
+ALLOWED_TABLES = Literal["Devices", "Events", "Sessions", "Settings", "CurrentScan", "Online_History", "Plugins_Objects", "Plugins_History"]
 
 ALLOWED_LOG_FILES = Literal[
     "app.log", "app_front.log", "IP_changes.log", "stdout.log", "stderr.log",