Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5298:6efa6d44c27a
Add doc for xmlrpc changes and errors related to anti-csrf protections.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 04 Oct 2017 22:31:44 -0400 |
| parents | b2998cb86bae |
| children | ae32f082e623 |
comparison
equal
deleted
inserted
replaced
| 5296:b48e2fe4a7bd | 5298:6efa6d44c27a |
|---|---|
| 104 A unique random token is generated by every call to | 104 A unique random token is generated by every call to |
| 105 utils.anti_csrf_nonce() and is put in a database to be | 105 utils.anti_csrf_nonce() and is put in a database to be |
| 106 retreived if the token is used. Token lifetimes are 2 weeks | 106 retreived if the token is used. Token lifetimes are 2 weeks |
| 107 by default but can be configured in config.ini. Roundup will | 107 by default but can be configured in config.ini. Roundup will |
| 108 automatically prune old tokens. Calling anti_csrf_nonce with | 108 automatically prune old tokens. Calling anti_csrf_nonce with |
| 109 an integer lifetime, for example | 109 an integer lifetime, for example: |
| 110 | 110 |
| 111 <input name="@csrf" type="hidden" | 111 <input name="@csrf" type="hidden" |
| 112 tal:attributes="value python:utils.anti_csrf_nonce(lifetime=10)"> | 112 tal:attributes="value python:utils.anti_csrf_nonce(lifetime=10)"> |
| 113 | 113 |
| 114 sets the lifetime of that nonce to 10 minutes. | 114 sets the lifetime of that nonce to 10 minutes. |
| 150 | 150 |
| 151 in handle_csrf, you have more than one @csrf token for the form. This | 151 in handle_csrf, you have more than one @csrf token for the form. This |
| 152 usually occurs because the form uses the standard context/submit | 152 usually occurs because the form uses the standard context/submit |
| 153 element but you also added an explicit @csrf statement. Simply remove | 153 element but you also added an explicit @csrf statement. Simply remove |
| 154 the @csrf element for that form. | 154 the @csrf element for that form. |
| 155 | |
| 156 Errors and Troubleshooting - xmlrpc Required Header Missing | |
| 157 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 158 When performing and xmlrpc call, if you see something like: | |
| 159 | |
| 160 xmlrpclib.Fault: <Fault 1: "<class | |
| 161 'roundup.exceptions.UsageError'>:Required Header Missing"> | |
| 162 | |
| 163 change the setting of csrf_enforce_header_x-requested-with in | |
| 164 config.ini to no. So it looks like: | |
| 165 | |
| 166 csrf_enforce_header_x-requested-with = no | |
| 167 | |
| 168 Alternatively change your xmlrpc client to add appropriate headers to | |
| 169 the request including the: | |
| 170 | |
| 171 X-Requested-With: | |
| 172 | |
| 173 header as well as any other required csrf headers (e.g. referer, origin) | |
| 174 configured in config.ini. See the advanced python client at the end of | |
| 175 the `xmlrpc guide`_. | |
| 155 | 176 |
| 156 Support for SameSite cookie option for session cookie | 177 Support for SameSite cookie option for session cookie |
| 157 ----------------------------------------------------- | 178 ----------------------------------------------------- |
| 158 | 179 |
| 159 Support for serving the session cookie using the SameSite cookie option | 180 Support for serving the session cookie using the SameSite cookie option |
| 2487 | 2508 |
| 2488 | 2509 |
| 2489 .. _`customisation documentation`: customizing.html | 2510 .. _`customisation documentation`: customizing.html |
| 2490 .. _`security documentation`: security.html | 2511 .. _`security documentation`: security.html |
| 2491 .. _`administration guide`: admin_guide.html | 2512 .. _`administration guide`: admin_guide.html |
| 2513 .. _`xmlrpc guide`: xmlrpc.html |