Message6655
Hi Matt:
In message <1568970663.14.0.808392598651.issue2551060@roundup.psfhosted.org>,
Matt writes:
>It was when I did the diff between my HTML and the 1.6.1 HTML that i
>noticed the missing csrf fields in my HTML and presumed they needed
>adding...
There are places where you do need the @csrf token in your templates.
E.G. the original classic templates had forms that did actions where
the default submit button was not suitable (e.g. removing messages
from an issue).
>If the new CSRF fields in the 1.6.1 HTML were added in error, and
>have been removed with that checkin (sorry I couldn't workout how to
>view checkins)
Wow this is not as easy as I expected. To see checkins you can go to:
https://sourceforge.net/p/roundup/code/ (linked from the roundup
website at: http://roundup-tracker.org/code.html)
Click on the code tab and that will take you to something like:
https://sourceforge.net/p/roundup/code/ci/08b241c9fea4e9a349bb80c6964da5c15dfcafb9/
To see checkin 4d32fa88c5d2 edit the URL so it looks like
https://sourceforge.net/p/roundup/code/ci/4d32fa88c5d2/
and load that url. Yeah I am amazed at how difficult this is.
>I will now remove these hidden CSRF fileds I added in error.
I would suggest you don't do that. If you merged the changes in from
the classic tracker templates, I claim that they are needed. I would
use your tracker with the additional @csrf elements. If you see the
dreaded:
File "/home/roundup/lib/python2.6/site-packages/roundup/cgi/client.py",
line 1154, in handle_csrf
key=self.form['@csrf'].value
AttributeError: 'list' object has no attribute 'value'
issue in your logs, look for the @csrf hidden input along with /submit
in the same form. If you find that then remove the @csrf input.
It looks like there were 9 @csrf fields added to the classic
templates in revision c8bf4e9912ed
https://sourceforge.net/p/roundup/code/ci/c8bf4e9912ed/
It's a little difficult to advise you on this as I don't know if you
have added extra forms to the default templates.
>Thanks for all your help and advise. And I would like to say we have
>been using Roundup Issue tracker since 2009, it is a great bit of
>software and I would like to say a big thanks for all the effort you
>and your team put into developing it. Thank you.
I am glad you have found it useful. A lot of people have made roundup
what it is including Richard, the original author.
Have a great weekend. |
|
Date |
User |
Action |
Args |
2019-09-20 22:27:16 | rouilj | set | recipients:
+ rouilj, tekberg, matt109 |
2019-09-20 22:27:16 | rouilj | link | issue2551060 messages |
2019-09-20 22:27:16 | rouilj | create | |
|