Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7011

Deleting a user from a group does not work with CSRF protection

    Details

    • keywords:
      group remove member csrf
    • Difficulty:
      Trivial
    • Similar issues:

      Description

      How to reproduce:

      • Enable CSRF protection
      • Create a test user
      • Go to XWikiAllGroup logged in as admin and in inline edit mode
      • Delete the just added test user from XWikiAllGroup

      The javascript removes the user from the livetable, but on a refresh, it's back.

      Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.

        Attachments

          Activity

            People

            • Assignee:
              enygma Eduard Moraru
              Reporter:
              enygma Eduard Moraru
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: