Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
11.8-rc-1
-
Unknown
-
N/A
-
N/A
-
Description
The reset link that is displayed above the customized user directory doesn't contain a CSRF token, thus triggering a CSRF warning. I'm not sure if the token should be embedded in the link as this might be bad practice (GET requests should be idempotent and not trigger the action), but maybe there could be a confirmation step?
Steps to reproduce:
- Click on the user directory in the menu
- Click on "customize"
- Add a new column
- Save and view the user directory again
- Click on reset
Expected result:
- The columns are reset to default
Actual result:
- A warning is displayed that the request contains invalid authentication information.
I cannot reproduce the issue in 11.7 and I think this is caused by XWIKI-14756 which introduced the CSRF tokens (which is good but breaks the reset).