Project

General

Profile

Bug #15843

Redirect to login page on CSRF error

Added by John Mitsch about 3 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

To reproduce

1) Open two tabs in browser
2) Go to red hat repositories page on one and open to an enabled repository
3) On other tab logout
4) Go to RH repos tab and disable repo.
5) You should see a CSRF token error

This probably can be reproduced enabling a repo as well.

Ideally we would redirect to login page here.

2016-07-26 13:47:49 [app] [I] Started GET "/katello/products/130/available_repositories?content_id=2472&_=1469540849891" for 192.168.121.1 at 2016-07-26 13:47:49 +0000
2016-07-26 13:47:49 [app] [I] Processing by Katello::ProductsController#available_repositories as */*
2016-07-26 13:47:49 [app] [I]   Parameters: {"content_id"=>"2472", "_"=>"1469540849891", "id"=>"130"}
2016-07-26 13:47:56 [app] [I]   Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.68/app/views/katello/providers/redhat/_repos.html.erb (10.8ms)
2016-07-26 13:47:56 [app] [I] Completed 200 OK in 6985ms (Views: 11.5ms | ActiveRecord: 72.6ms)
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating throttle_limiter...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating client dispatcher...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] stop listening for new events...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating clock...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating throttle_limiter...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating client dispatcher...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] stop listening for new events...
2016-07-26 13:49:22 [foreman-tasks/dynflow] [I] start terminating clock...
2016-07-26 13:53:40 [app] [I] Started PUT "/katello/products/130/toggle_repository" for 192.168.121.1 at 2016-07-26 13:53:40 +0000
2016-07-26 13:53:40 [app] [I] Processing by Katello::ProductsController#toggle_repository as */*
2016-07-26 13:53:40 [app] [I]   Parameters: {"repo"=>"0", "pulp_id"=>"Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Enterprise_Linux_7_Server_-_RH_Common_RPMs_x86_64_7Server", "content_id"=>"2472", "releasever"=>"7Server", "basearch"=>"x86_64", "id"=>"130"}
2016-07-26 13:53:40 [app] [W] Can't verify CSRF token authenticity
2016-07-26 13:53:40 [app] [I] Completed 500 Internal Server Error in 5ms
2016-07-26 13:53:40 [app] [F] 
 | Foreman::Exception (ERF42-4995 [Foreman::Exception]: Invalid authenticity token):
 |   app/controllers/application_controller.rb:371:in `handle_unverified_request'
 |   lib/middleware/catch_json_parse_errors.rb:9:in `call'
 | 

History

#1 Updated by John Mitsch about 3 years ago

  • Subject changed from CSRF mismatch on disabling RH repository to CSRF error on disabling RH repository

#2 Updated by Justin Sherrill about 3 years ago

  • Status changed from New to Rejected
  • Legacy Backlogs Release (now unused) set to 166

This is behaving as expected, when logging out in one tab, you'll be logged out in all tabs.

#3 Updated by John Mitsch about 3 years ago

The issue is more with the fact that the CSRF error is not obvious to the user and they are not redirected to a login page. I think in this scenario redirecting to a login page would improve the UX.

#4 Updated by John Mitsch about 3 years ago

  • Subject changed from CSRF error on disabling RH repository to Redirect to login page on CSRF error

#5 Updated by Justin Sherrill about 3 years ago

  • Status changed from Rejected to New
  • Legacy Backlogs Release (now unused) changed from 166 to 114

#6 Updated by Justin Sherrill about 3 years ago

  • Assignee set to John Mitsch

Also available in: Atom PDF