On 02/10/2011 10:08 PM, Alex Busenius wrote:
> Hi,
>
> On 02/10/2011 09:38 PM, sdumitriu (SVN) wrote:
>> Author: sdumitriu
>> Date: 2011-02-10 21:38:15 +0100 (Thu, 10 Feb 2011)
>> New Revision: 34623
>>
>> Modified:
>>
>> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/XWikiGroupSheet.xml
>> Log:
>> XAADMINISTRATION-218: CSRF token not included in add-group-member ajax
>> request
>> Fixed.
>> Patch from Andreas Jonsson applied with a slight change (applied
>> escapetool.url for safety)
>>
>> Modified:
>> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/XWikiGroupSheet.xml
>> ===================================================================
>> ---
>> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/XWikiGroupSheet.xml
>> 2011-02-10 20:37:52 UTC (rev 34622)
>> +++
>> platform/xwiki-applications/trunk/administration/src/main/resources/XWiki/XWikiGroupSheet.xml
>> 2011-02-10 20:38:15 UTC (rev 34623)
>> @@ -171,7 +171,7 @@
>> },
>> addNewMember: function(uorg, input) {
>> if (input) {
>> - var url = "${doc.getURL()}?xpage=adduorg&uorg=" +
>> encodeURIComponent(uorg) + "&name=" + encodeURIComponent(input.value);
>> + var url = "${doc.getURL()}?xpage=adduorg&uorg=" +
>> encodeURIComponent(uorg) + "&name=" + encodeURIComponent(input.value) +
>> "&form_token=$!{escapetool.url($services.csrf.getToken())}";
>
> actually, $services.csrf.getToken() returns the token in a URL-safe
> base64 encoding, so it should work fine without escapetool.
I know, but an extra encoding doesn't break anything.
> Regards,
> Alex
>
>> new Ajax.Request(url, {
>> method: 'get',
>> onSuccess: function(transport) {
>>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
