Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.1, 3.2 M2
-
Component/s: Web - Templates & Resources
-
Labels:None
-
keywords:group remove member csrf
-
Difficulty:Trivial
-
Similar issues:
XWIKI-6768Deleting users from admin UI does not work with CSRF protection XWIKI-5465Fix all integration tests to work with enabled CSRF protection XWIKI-6773Enable CSRF protection by default XWIKI-6308 Add a warning when deleting an user from a group XWIKI-277Removing a user does not remove the user from groups XWIKI-4566Users/groups from other wikis are not properly taken into account when put in a local group XWIKI-7495Local rights of Ldap-Authenticated Users being deleted during Login/Refresh XWIKI-7775Deleting and recreating a subwiki does not work (throws exception) XWIKI-2308If you delete Group the Group Reference should be deleted from XWikiGlobalRights
Description
How to reproduce:
- Enable CSRF protection
- Create a test user
- Go to XWikiAllGroup logged in as admin and in inline edit mode
- Delete the just added test user from XWikiAllGroup
The javascript removes the user from the livetable, but on a refresh, it's back.
Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.
Activity
Hide
Well, yes 
So it happens by default, but it was not noticed since CSRF is default only from 3.2 on. This bug exists from 30 sept 2010 when it was introduced by mistake by https://github.com/xwiki/xwiki-platform/commit/2102c1fa56ebe4913ec024aef8b2bdf9d6a799c3
Show
Eduard Moraru
added a comment - - edited Well, yes So it happens by default, but it was not noticed since CSRF is default only from 3.2 on. This bug exists from 30 sept 2010 when it was introduced by mistake by https://github.com/xwiki/xwiki-platform/commit/2102c1fa56ebe4913ec024aef8b2bdf9d6a799c3
Isn't CSRF enabled by default ?