Maria Odea Ching
added a comment - Added the following changes in -r1091098 :
CSRF checks for delete actions and some save actions
added selenium tests for CSRF
Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.
Maria Odea Ching
added a comment - Re-opening issue.. delete project group from project group summary is failing. It's always returning "Invalid token found in request" even though the token was passed.
Fixed in 1.3.x branch -r1092648 with the following changes:
do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit
enabled selenium test for remove project group csrf check
Maria Odea Ching
added a comment - Fixed in 1.3.x branch -r1092648 with the following changes:
do an explicit check for a random generated value in the action on remove project group (built-in token session interceptor doesn't work for projectGroupSummary page because the <s:action> tag (which executes result) for getting the projects in the group in the page causes a double submit
enabled selenium test for remove project group csrf check
Maria Odea Ching
added a comment - Additional changes committed in branch -r1099015 and merged in trunk -r1099019 :
revert changes made in -r1092648 in csrf check for remove project group
check only on actual delete, do not check on confirm delete – separated remove project group and confirm remove project group into separate actions
Closed
Major
CONTINUUM-838
Cross Site Request Forgery protection
Added the following changes in -r1091098: