XWiki Platform
  1. XWiki Platform
  2. XWIKI-7011

Deleting a user from a group does not work with CSRF protection

    Details

    • keywords:
      group remove member csrf
    • Difficulty:
      Trivial
    • Similar issues:

      Description

      How to reproduce:

      • Enable CSRF protection
      • Create a test user
      • Go to XWikiAllGroup logged in as admin and in inline edit mode
      • Delete the just added test user from XWikiAllGroup

      The javascript removes the user from the livetable, but on a refresh, it's back.

      Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.

        Activity

        Hide
        Thomas Mortagne added a comment -

        Isn't CSRF enabled by default ?

        Show
        Thomas Mortagne added a comment - Isn't CSRF enabled by default ?
        Hide
        Eduard Moraru added a comment - - edited

        Well, yes So it happens by default, but it was not noticed since CSRF is default only from 3.2 on. This bug exists from 30 sept 2010 when it was introduced by mistake by https://github.com/xwiki/xwiki-platform/commit/2102c1fa56ebe4913ec024aef8b2bdf9d6a799c3

        Show
        Eduard Moraru added a comment - - edited Well, yes So it happens by default, but it was not noticed since CSRF is default only from 3.2 on. This bug exists from 30 sept 2010 when it was introduced by mistake by https://github.com/xwiki/xwiki-platform/commit/2102c1fa56ebe4913ec024aef8b2bdf9d6a799c3

          People

          • Assignee:
            Eduard Moraru
            Reporter:
            Eduard Moraru
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: