Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7011

Deleting a user from a group does not work with CSRF protection

    XMLWordPrintable

    Details

    • keywords:
      group remove member csrf
    • Difficulty:
      Trivial
    • Similar issues:

      Description

      How to reproduce:

      • Enable CSRF protection
      • Create a test user
      • Go to XWikiAllGroup logged in as admin and in inline edit mode
      • Delete the just added test user from XWikiAllGroup

      The javascript removes the user from the livetable, but on a refresh, it's back.

      Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.

        Attachments

          Activity

            People

            Assignee:
            enygma Eduard Moraru
            Reporter:
            enygma Eduard Moraru
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response: