Mercurial > p > roundup > code
diff doc/upgrading.txt @ 5298:6efa6d44c27a
Add doc for xmlrpc changes and errors related to anti-csrf protections.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 04 Oct 2017 22:31:44 -0400 |
| parents | b2998cb86bae |
| children | ae32f082e623 |
line wrap: on
line diff
--- a/doc/upgrading.txt Thu Sep 28 19:22:21 2017 -0400 +++ b/doc/upgrading.txt Wed Oct 04 22:31:44 2017 -0400 @@ -106,7 +106,7 @@ retreived if the token is used. Token lifetimes are 2 weeks by default but can be configured in config.ini. Roundup will automatically prune old tokens. Calling anti_csrf_nonce with -an integer lifetime, for example +an integer lifetime, for example: <input name="@csrf" type="hidden" tal:attributes="value python:utils.anti_csrf_nonce(lifetime=10)"> @@ -153,6 +153,27 @@ element but you also added an explicit @csrf statement. Simply remove the @csrf element for that form. +Errors and Troubleshooting - xmlrpc Required Header Missing +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +When performing and xmlrpc call, if you see something like: + + xmlrpclib.Fault: <Fault 1: "<class + 'roundup.exceptions.UsageError'>:Required Header Missing"> + +change the setting of csrf_enforce_header_x-requested-with in +config.ini to no. So it looks like: + + csrf_enforce_header_x-requested-with = no + +Alternatively change your xmlrpc client to add appropriate headers to +the request including the: + + X-Requested-With: + +header as well as any other required csrf headers (e.g. referer, origin) +configured in config.ini. See the advanced python client at the end of +the `xmlrpc guide`_. + Support for SameSite cookie option for session cookie ----------------------------------------------------- @@ -2489,3 +2510,4 @@ .. _`customisation documentation`: customizing.html .. _`security documentation`: security.html .. _`administration guide`: admin_guide.html +.. _`xmlrpc guide`: xmlrpc.html