Uploaded image for project: '{RETIRED} XWiki Administration Application'
  1. {RETIRED} XWiki Administration Application
  2. XAADMINISTRATION-218

CSRF token not included in add-group-member ajax request

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 1.46
          • Fix Version/s: 1.47
          • Component/s: Users, Groups, Rights
          • Labels:
            None
          • keywords:
            CSRF, bugfixingday
          • Similar issues:

            Description

            A form_token parameter must be added to the url of the addNewMember
            ajax request in XWiki.XWikiGroupSheet:

            < var url = "${doc.getURL()}?xpage=adduorg&uorg=" + uorg + "&name=" + input.value;
> var url = "${doc.getURL()}?xpage=adduorg&uorg=" + uorg + "&name=" + input.value + "&form_token=$!{services.csrf.getToken()}";

              Attachments

                Activity

                  People

                  • Assignee:
                    sdumitriu Sergiu Dumitriu
                    Reporter:
                    aj Andreas Jonsson
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:
                      Date of First Response: