Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] StateIndicatorMixin raises CSRF error with CSRF_USE_SESSIONS = True #437

Open
1 of 2 tasks
Will-Hoey opened this issue Dec 10, 2024 · 0 comments · May be fixed by #444
Open
1 of 2 tasks

[BUG] StateIndicatorMixin raises CSRF error with CSRF_USE_SESSIONS = True #437

Will-Hoey opened this issue Dec 10, 2024 · 0 comments · May be fixed by #444

Comments

@Will-Hoey
Copy link

Will-Hoey commented Dec 10, 2024

Description

I have a standard Grouper/Content model setup (Not dissimilar to djangocms-blog) where the publish/unpublish actions added via the StateIndicatorMixin do not work as expected and throw a 403 - CSRF token from POST incorrect.

From my testing this only occurs when we set CSRF_USE_SESSIONS = True in settings.py. Setting this to False gets things working again. Most other settings are reasonable defaults.

EDIT:
After deploying this to our development server it didn't actually fix the issue but now does raise something slightly more useful. With the setting marked as False I get

Uncaught TypeError: document.cookie.match(...) is null from https://github.com/django-cms/djangocms-versioning/blob/master/djangocms_versioning/static/djangocms_versioning/js/indicators.js#L12

Going back to a localhost instance with the setting as True
Uncaught TypeError: window.top.CMS is undefined from https://github.com/django-cms/djangocms-versioning/blob/master/djangocms_versioning/static/djangocms_versioning/js/indicators.js#L76

Some other things:

  • This doesn't occur for Pages, only custom models which use the Grouper admin mixins.
  • By going to "manage versions" instead you can publish or unpublish as expected.

Steps to reproduce

  1. Go to a custom grouper admin. e.g /admin/news/article/
  2. Click on state indicator and select publish or unpublish
  3. If not in sidebar, nothing happens, otherwise it will show the 403 in a modal.

Expected behaviour

Page reloads and the object is marked as published/unpublished

Actual behaviour

403 CSRF error is raised.

Additional information (CMS/Python/Django versions)

CMS v4.1.1
Django 5.1.3
Djangocms-Versioning 2.1.0

Snippet

@admin.register(Article)
class ArticleAdmin(StateIndicatorMixin, ExtendedGrouperVersionAdminMixin, GrouperModelAdmin):
    content_models = ArticleContent
    extra_grouping_fields = ("language",)
    list_display = ["title", "author", "state_indicator"]
    list_filter = ["author"]
    search_fields = ["author__name"]
    autocomplete_fields = ["author"]
    fieldsets = [...]


@admin.register(ArticleContent)
class ArticleContentAdmin(ExtendedIndicatorVersionAdminMixin, admin.ModelAdmin):
    fieldsets = [(None, {"fields": ["title", "intro", "slug"]}), admin_mixins.META_FIELDSET]

    def get_model_perms(self, request):
        """
        Return empty perms dict to hide the model from admin index.
        """
        return {}

Do you want to help fix this issue?

  • Yes, I want to help fix this issue and I will join the channel #pr-reviews on the Discord Server to confirm with the community that a PR is welcome.
  • No, I only want to report the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant