XWiki Platform
  1. XWiki Platform
  2. XWIKI-6768

Deleting users from admin UI does not work with CSRF protection

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.6 RC1, 2.6 RC2, 2.6, 2.7 RC1, 2.7, 2.6.1, 3.0 M1, 3.0 M2, 2.6.2, 2.7.1, 3.0 M3, 3.0 RC1, 3.0, 3.1 M1, 2.7.2, 3.1 M2, 3.1 RC1, 3.1
    • Fix Version/s: 3.2 M1, 3.1.1
    • Component/s: Administration
    • Labels:
      None
    • Tests:
      Integration
    • Difficulty:
      Trivial
    • Similar issues:
      XWIKI-7011Deleting a user from a group does not work with CSRF protection
      XWIKI-9361CSRF protection is vulnerable to UI redressing
      XWIKI-5465Fix all integration tests to work with enabled CSRF protection
      XWIKI-6822Extension Manager admin UI does not have programming right
      XWIKI-6773Enable CSRF protection by default
      XWIKI-8408Improve Search Admin UI
      XWIKI-1944"delete" right does not allow non-creators to delete a document

      Description

      To reproduce:

      • enable CSRF protection
      • log in as Admin
      • go to "Administration » Users & Groups » Users"
      • try to delete some user

      The user disappears from the table, but is not deleted and shows up again on reload.

      This is a regression introduced in XAADMINISTRATION-171

        Activity

        Hide
        Alex Busenius added a comment -

        Fixed in bf513e7 (3.2M1) and 3a45ad1 (3.1.1). The issue is caught by functional tests when CSRF protection is enabled.

        Show
        Alex Busenius added a comment - Fixed in bf513e7 (3.2M1) and 3a45ad1 (3.1.1). The issue is caught by functional tests when CSRF protection is enabled.

          People

          • Assignee:
            Alex Busenius
            Reporter:
            Alex Busenius
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: