Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.46
-
Fix Version/s: 1.47
-
Component/s: Users, Groups, Rights
-
Labels:None
-
keywords:CSRF, bugfixingday
-
Similar issues:
Description
A form_token parameter must be added to the url of the addNewMember
ajax request in XWiki.XWikiGroupSheet:
< var url = "${doc.getURL()}?xpage=adduorg&uorg=" + uorg + "&name=" + input.value; > var url = "${doc.getURL()}?xpage=adduorg&uorg=" + uorg + "&name=" + input.value + "&form_token=$!{services.csrf.getToken()}";