fix: Take csrf token from CMS config if possible #444
Conversation
Reviewer's Guide by SourceryThis pull request fixes an issue where the CSRF token was not being retrieved correctly. The change ensures that the CSRF token is taken from the CMS config if available, and falls back to the cookie if not. Sequence diagram for CSRF token retrieval flowsequenceDiagram
participant Client
participant CMS
participant Cookie
Client->>CMS: Check for CSRF token
alt CMS config has token
CMS-->>Client: Return CSRF token from config
else No token in config
Client->>Cookie: Check for CSRF token
alt Cookie has token
Cookie-->>Client: Return CSRF token from cookie
else No token in cookie
Cookie-->>Client: Return empty token
end
end
Note over Client: Use token for POST request
Flow diagram for CSRF token retrieval logicgraph TD
A[Start] --> B{CMS config has token?}
B -->|Yes| C[Use CMS config token]
B -->|No| D{Check cookie for token}
D -->|Found| E[Use cookie token]
D -->|Not found| F[Empty token]
C --> G[Use token for POST request]
E --> G
F --> G
File-Level Changes
Assessment against linked issues
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey @fsbraun - I've reviewed your changes and found some issues that need to be addressed.
Blocking issues:
- Add validation to ensure csrfToken is not empty before form submission (link)
Here's what I looked at during the review
- 🟢 General issues: all looks good
- 🔴 Security: 1 blocking issue
- 🟢 Testing: all looks good
- 🟢 Complexity: all looks good
- 🟢 Documentation: all looks good
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
djangocms_versioning/static/djangocms_versioning/js/indicators.js
Outdated
Show resolved
Hide resolved
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
@Will-Hoey Could you check if this PR solves your issue? |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #444 +/- ##
=======================================
Coverage 90.63% 90.63%
=======================================
Files 72 72
Lines 2702 2702
Branches 314 314
=======================================
Hits 2449 2449
Misses 179 179
Partials 74 74 ☔ View full report in Codecov by Sentry. |
djangocms_versioning/static/djangocms_versioning/js/indicators.js
Outdated
Show resolved
Hide resolved
|
@Will-Hoey Can you quickly check if this patch solves your issue? |
@fsbraun Apologies for the delay. Busy week! With A side note, and this isn't really likely to be too much of a problem, if I switch that setting and then try any post request (logout, unpublish etc) it'll raise an incorrect token message unless I refresh the page. Kind of expected though! |
|
@Will-Hoey Ah, right, that makes sense: In the admin (only) panel the CMS object is not available. In that case, the token needs to be pulled from a hidden input field. Do you think you can give it another try? |
|
@fsbraun the new commit works when |
|
@Will-Hoey It works for me now. Maybe an outdated token still in the cookies? I've changed the order, so that the token from the form precedes the one in the cookies. |
|
@fsbraun Resolved for me too using True/False values for the sessions setting, as well as in modal and in the admin. Thanks for the speedy responses this morning! |
|
Thank you so much for the support! Sometimes the small things are more tricky than you expect! |
Description
Bug Fixes:
Fixes #437
Related resources
Checklist
masterSlack to find a “pr review buddy” who is going to review my pull request.