[
https://issues.apache.org/jira/browse/STORM-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14394484#comment-14394484
]
ASF GitHub Bot commented on STORM-749:
--------------------------------------
Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/502#discussion_r27732192
--- Diff: storm-core/src/clj/backtype/storm/ui/core.clj ---
@@ -975,7 +971,7 @@
name (.get_name tplg)]
(.activate nimbus name)
(log-message "Activating topology '" name "'")))
- (json-response (topology-op-response id "deactivate") (m "callback")))
+ (json-response (topology-op-response id "activate") (m "callback")))
--- End diff --
Good catch. This needs to be fixed in 0.10.x-branch also.
> Remove CSRF check from rest API
> -------------------------------
>
> Key: STORM-749
> URL: https://issues.apache.org/jira/browse/STORM-749
> Project: Apache Storm
> Issue Type: Task
> Affects Versions: 0.9.3
> Reporter: Parth Brahmbhatt
> Assignee: Parth Brahmbhatt
> Fix For: 0.10.0
>
>
> I think we can safely get rid of the whole CSRF code. CSRF vulnerability is
> only exposed when websites use session based authentication. In our case we
> only use http authentication so we are not really vulnerable to CSRF attacks.
> Currently the CSRF check only hinders non browser clients.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
