Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5275:fee207407dee
Add error and troubleshooting headers. Clarified the suggestion to a
recomendation on @csrf fields.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 24 Sep 2017 00:30:38 -0400 |
| parents | 07da34337f70 |
| children | a034f8d09a21 |
comparison
equal
deleted
inserted
replaced
| 5274:07da34337f70 | 5275:fee207407dee |
|---|---|
| 129 or nonce and blocks access if the validation fails. If the | 129 or nonce and blocks access if the validation fails. If the |
| 130 field/header is missing it allows access. Setting these | 130 field/header is missing it allows access. Setting these |
| 131 fields to ``required`` blocks access if the header/nonce is | 131 fields to ``required`` blocks access if the header/nonce is |
| 132 missing. | 132 missing. |
| 133 | 133 |
| 134 It is suggested that you change your templates so every form | 134 It is recommended that you change your templates so every form |
| 135 has an @csrf field and change the setting to 'required' for | 135 that is not submitted via GET has an @csrf field. Then change |
| 136 the csrf_enforce_token. | 136 the csrf_enforce_token setting to 'required'. |
| 137 | |
| 138 Errors and Troubleshooting | |
| 139 ~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 137 | 140 |
| 138 If you see the @csrf nonce in the URL, you have added the value to a | 141 If you see the @csrf nonce in the URL, you have added the value to a |
| 139 form that uses the GET method. You should remove the @csrf token from | 142 form that uses the GET method. You should remove the @csrf token from |
| 140 these forms as it is not needed. | 143 these forms as it is not needed. |
| 141 | 144 |
| 300 | 303 |
| 301 <form method="post" tal:attributes="action string:${request/env/PATH_INFO}"> | 304 <form method="post" tal:attributes="action string:${request/env/PATH_INFO}"> |
| 302 | 305 |
| 303 the important part is that the action field **must not** include any query | 306 the important part is that the action field **must not** include any query |
| 304 parameters ('#' includes query params). | 307 parameters ('#' includes query params). |
| 308 | |
| 309 Errors and Troubleshooting | |
| 310 ~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 305 | 311 |
| 306 One symptom of failing to do this is getting an error: | 312 One symptom of failing to do this is getting an error: |
| 307 | 313 |
| 308 Unrecognized scheme in .... | 314 Unrecognized scheme in .... |
| 309 | 315 |
| 510 | 516 |
| 511 s = db.security.addPermission(name='Search', klass='query', | 517 s = db.security.addPermission(name='Search', klass='query', |
| 512 properties=['creator'], | 518 properties=['creator'], |
| 513 description="User is allowed to Search queries for creator") | 519 description="User is allowed to Search queries for creator") |
| 514 db.security.addPermissionToRole('User', s) | 520 db.security.addPermissionToRole('User', s) |
| 521 | |
| 522 Errors and Troubleshooting | |
| 523 ~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 515 | 524 |
| 516 If you do not do this, public queries will be listed twice in the edit | 525 If you do not do this, public queries will be listed twice in the edit |
| 517 interface. Once in the "Queries I created" section and again in the | 526 interface. Once in the "Queries I created" section and again in the |
| 518 "Queries others created" section of the query edit page | 527 "Queries others created" section of the query edit page |
| 519 (``http..../query?@template=edit``). | 528 (``http..../query?@template=edit``). |