Profile preview fails with ugly CSRF error
- Status
- Closed
- Subject
- Profile preview fails with ugly CSRF error
- Version
- 19.x
- Category
- Error
- Regression
- Feature
- Installer (profiles, upgrades and server-related issues)
Profile Manager - Resolution status
- Fixed or Solved
- Submitted by
- luciash d' being 🧙
- Volunteered to solve
- rjsmelo, Jorge Sá Pereira, lindon
- Lastmod by
- luciash d' being 🧙, Marc Laporte, rjsmelo, lindon
- Rating
- Related-to
- Description
Clicking the "Preview Changes" button to preview a profile in trunk fails with some badly broken full-tiki page in modal content and a CSRF error message in it:
- Solution
In r68090 was added a new feature to force the generation of new CSRF tokens, for the cases (like this) where there are multiple actions in the same interface and they can be executed using AJAX (consuming the tokens).
Also, each of the actions is getting a new token.
There will still be an issue as each of the tokens is "single use"
, you should not be able to run preview twice.- Actually, I should be able to run preview as many times as I wish ;) Other ideas how to fix this?
*************
Update: should be fixed now with r68745. Tickets not needed for actions that do not change the database, like preview, export, find, etc. Also, should not use GET methods for tickets.- Importance
- 8
- Easy to solve?
- 6
- Priority
- 48
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Accessing the Tiki instance that demonstrates this bugThe URL for the show2.tiki.org instance that demonstrates this bug is at: http://luci-199-6760.show2.tiki.org. Note that if you get a popup asking for a username/password, please just enter "show" and "show". This is different from the initial login and password for a new Tiki which is "admin" and "admin".
For the install log, see http://luci-199-6760.show2.tiki.org/info.txt
Note that if you see PHP errors or a Tiki claiming to be missing third party software, the instance creation is probably not finished. Please wait a couple minutes and reload.
SnapshotsSnapshots are database dumps of the configuration that developers can download for debugging. Once you have reproduced your bug on the show2.tiki.org instance, create a snapshot that can then be downloaded by developers for further investigation.
Snapshots can be accessed at: http://luci-199-6760.show2.tiki.org/snapshots/. Note that if you get a popup asking for a username/password, please just enter "show" and "show".
Create new snapshot - Ticket ID
- 6760
- Created
- Thursday 23 August, 2018 14:35:47 GMT-0000
by luciash d' being 🧙 - LastModif
- Tuesday 22 January, 2019 13:48:38 GMT-0000
;){kind=link}
;){kind=link}
- Browse Directory is broken
- Wiki argument variables, Documentation; The help tools of Tiki for Wiki argument variables redirect to the wrong page
- Plugin List, Wiki Argument Variables; Admin should see a warning when the Wiki Argument Variables is not enabled and he tries to use it.
- General, Navigation; Endless loop, too much redirect error, if a wiki page is the value of the option
- Tiki tag ~ hs ~ is lost on wiki page duplication
;){kind=link}
;){kind=link}