Hi Cecelia, On 2011-04-27 10:07, Cecilia Albertsson wrote: > Hi Alaa, > > Thanks for the suggestion, but it didn't work. I still got the same CSRF > error when clicking the accept and reject buttons. However, looking at the > Django sites listed below, I think the reason it didn't work is that your fix > is for Django 1.2 and later only. In your CentOS install are you using the EPEL builds that I make or are you installing from tarballs?
Thanks for spotting this it probably means that I need to patch this for my EPEL5 builds of Pootle 2.1.6. See bug https://bugzilla.redhat.com/show_bug.cgi?id=700337 > http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/ > http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ > > Since I couldn't find any appropriate rpm packages for Django 1.2, I am > unable at this point to update Django, and therefore applied the following > (ugly) fix, and now I can review suggestions again. > > In pootle/html/js/translatepage.js: > /* Uncomment when using Django 1.2 or later */ > // if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) > { > // // Only send the token to relative URLs i.e. locally. > // xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); > // } > > /* Uncomment when using Django 1.1 or earlier */ > if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { > // Only send the token to relative URLs i.e. locally. > xhr.setRequestHeader("X-CSRFToken", $("#csrfmiddlewaretoken").val()); > } > > Now I have to remember to change it back when I finally do upgrade Django... > (>_<) > So if you can incorporate a more beautiful fix in the next Pootle release, > that would be tremendously helpful. > > Maybe the following information can help you. With your CSRF fix in > translatepage.js unchanged, the X-CSRFToken in the request header is null: > X-CSRFToken:null > X-Requested-With:XMLHttpRequest > > The relevant code in Django corresponding to the script csrf.py mentioned in > the other thread, seems for Django 1.1.4 to be > django/contrib/csrf/middleware.py: > > csrf_token = _make_token(session_id) > # check incoming token > request_csrf_token = request.POST.get('csrfmiddlewaretoken', '') > if request_csrf_token == "": > # Fall back to X-CSRFToken, to make things easier for AJAX > request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') > > if request_csrf_token == "": > return HttpResponseForbidden(_ERROR_MSG) > > if request_csrf_token != csrf_token: > return HttpResponseForbidden(_ERROR_MSG) > > Cecilia > > > -----Original Message----- > From: Alaa Abd El Fattah [mailto:a...@translate.org.za] > Sent: Tuesday, April 26, 2011 7:47 PM > To: Cecilia Albertsson > Cc: Translate-pootle@lists.sourceforge.net > Subject: Re: [translate-pootle] Cannot review suggestions after CentOS update > > > Try upgrading to 2.1.6 which we just released, it fixed the CSRF issue. > > cheers, > Alaa > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > _______________________________________________ > Translate-pootle mailing list > Translate-pootle@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/translate-pootle -- regards Dwayne ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Translate-pootle mailing list Translate-pootle@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/translate-pootle
