XWiki Platform
  1. XWiki Platform
  2. XWIKI-7011

Deleting a user from a group does not work with CSRF protection

    Details

    • keywords:
      group remove member csrf
    • Difficulty:
      Trivial
    • Similar issues:
      XWIKI-6768Deleting users from admin UI does not work with CSRF protection
      XWIKI-5465Fix all integration tests to work with enabled CSRF protection
      XWIKI-9361CSRF protection is vulnerable to UI redressing
      XWIKI-9385Removing a user with a dot in its name from a group does not work
      XWIKI-6773Enable CSRF protection by default
      XWIKI-6308Add a warning when deleting an user from a group
      XWIKI-277Removing a user does not remove the user from groups
      XWIKI-4566Users/groups from other wikis are not properly taken into account when put in a local group

      Description

      How to reproduce:

      • Enable CSRF protection
      • Create a test user
      • Go to XWikiAllGroup logged in as admin and in inline edit mode
      • Delete the just added test user from XWikiAllGroup

      The javascript removes the user from the livetable, but on a refresh, it's back.

      Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.

        Activity

        Hide
        Thomas Mortagne added a comment -

        Isn't CSRF enabled by default ?

        Show
        Thomas Mortagne added a comment - Isn't CSRF enabled by default ?
        Hide
        Eduard Moraru added a comment - - edited

        Well, yes So it happens by default, but it was not noticed since CSRF is default only from 3.2 on. This bug exists from 30 sept 2010 when it was introduced by mistake by https://github.com/xwiki/xwiki-platform/commit/2102c1fa56ebe4913ec024aef8b2bdf9d6a799c3

        Show
        Eduard Moraru added a comment - - edited Well, yes So it happens by default, but it was not noticed since CSRF is default only from 3.2 on. This bug exists from 30 sept 2010 when it was introduced by mistake by https://github.com/xwiki/xwiki-platform/commit/2102c1fa56ebe4913ec024aef8b2bdf9d6a799c3

          People

          • Assignee:
            Eduard Moraru
            Reporter:
            Eduard Moraru
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: