Fix: add CSRF token to AJAX post requests #3465
Conversation
Simrayz
changed the title
Test results 27 files 27 suites 44m 56s ⏱️ Results for commit 4ba8002. ♻️ This comment has been updated with latest results. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3465 +/- ##
==========================================
+ Coverage 62.08% 62.09% +0.01%
==========================================
Files 611 611
Lines 44865 44865
Branches 43 43
==========================================
+ Hits 27856 27861 +5
+ Misses 16999 16994 -5
Partials 10 10 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Simrayz
changed the title
Simrayz
changed the title
lunkwill42
left a comment
lunkwill42
left a comment
There was a problem hiding this comment.
Nice solutions over all 👍
However:
-
There are a bunch of needless whitespace changes to HTML templates and JS files here, that make the diff really hard to read. I'm fine with intentional whitespace changes, but they should be made as separate commits.
-
Removing dashboard navlets doesn't actually stick - reloading the dashboard makes them reappear. It seems this inadvertently changes the URL that the delete button posts to...
-
The last commit purports to just add a news fragment/changelog entry, but also makes some unspecified changes to JS files, this should be cleaned up
I'd be interested in knowing what the crashes you experience look like. Also, PortAdmin is the reason why I was working on documenting how to properly enable IPv6 in the devcontainer (a work I haven't really completed). Our lab is currently down, and the only switches I have available for testing PortAdmin on are the ones in our Teknobyen offices (testing on production equipment, yikes!). These are all managed over IPv6, so I can't test on them from the devcontainer unless it can properly communicate over IPv6; I also need to be on the office technical VLAN to access them, so I can't do it from home (not even sure VPN will work). We might want to look at this together when we're both in the office. |
Simrayz
force-pushed
the
fix/add-csrf-token-to-js-post-requests
branch
from
cf69363 to
b551a2d
Compare
johannaengland
left a comment
johannaengland
left a comment
There was a problem hiding this comment.
Mostly some questions. Do you have any reference to how you fixed this? So that I can try understanding this better and if something like this comes up again in the future
Simrayz
force-pushed
the
fix/add-csrf-token-to-js-post-requests
branch
2 times, most recently
from
205b1b2 to
dc37674
Compare
johannaengland
left a comment
johannaengland
left a comment
There was a problem hiding this comment.
- I still sometimes get a 403 response when trying to update the netmap view, specifically to the endpoint
/netmap/views/5/nodepositions/update/ - When trying to delete a widget from my dashboard I get a 400 response from the endpoint
/navlets/remove-user-navlet/(all other dashboard things work) - In the status tool the bulk actions "Acknowledge" and "Clear" also return a 403 error
- Please separate reformatting and changes into different commits, that makes reviewing much easier (in that case a rebase is allowed)
- If we want to add POST requests to the frontend in the future: Add documentation to https://nav.readthedocs.io/en/latest/hacking/javascript.html on how to get the CSRF token
- Commit messages: If including issue/PR numbers, please add them to the second line
Simrayz
force-pushed
the
fix/add-csrf-token-to-js-post-requests
branch
from
dc37674 to
eaa1e0f
Compare
|
@johannaengland I have rebased the PR and done the following changes:
I added documentation to Javascript hacking about how to include CSRF tokens in the template, and how to access them for usage in AJAX requests. In addition I have fixed the 400 bug in However, I was not able to reproduce the 403 errors you reported. Are you logged in with a user that does not have all required permissions? I usually test with an admin user, or a new user with minimal permissions. I tried creating a new user (not part of any groups except the defaults), and it was able to Acknowledge alerts. |
Simrayz
force-pushed
the
fix/add-csrf-token-to-js-post-requests
branch
from
d3cb45a to
a444e9d
Compare
|
@johannaengland I've fixed the bug in Unrecognized Neighbors (refresh of page, causing no status message to display), and added a fix for #3444 as well. |
johannaengland
left a comment
johannaengland
left a comment
There was a problem hiding this comment.
Functionality is great, now just nitpicking about docs
Simrayz
force-pushed
the
fix/add-csrf-token-to-js-post-requests
branch
from
ecebddb to
7b4b298
Compare
johannaengland
left a comment
johannaengland
left a comment
There was a problem hiding this comment.
Just a tiny typo fix
Simrayz
force-pushed
the
fix/add-csrf-token-to-js-post-requests
branch
from
7b4b298 to
4ba8002
Compare
|
Scope and purpose
Fixes bugs identified in #3396.
When enabling CSRF protection in the django middleware, javascript requests also have to send a csrf token. This PR adds instances identified from testing #3396. However, #3444 is left untouched as I'm not able to load the relevant Portadmin pages without crashes9.
Contributor Checklist
<major>.<minor>.x). For a new feature or other additions, it should be based onmaster.