436994 - CSRF error message should return HTTP code 400, not 200

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)

Description

[Wil Clouser [:clouserw]]

From bug 435450, the feature list javascript should check the return response from the server.  To reproduce:

1) Go to the editor's feature list and add a feature
2) Tamper with the POST request and make the sessioncheck variable invalid

Expected results:

1) A 400 response from the server and an appropriate error

Actual results:

1) A 200 response from the server and it's added to the list.  However, it's only added client side and refreshing the page doesn't show the add-on in the list.

Comment 1

[Fred Wenzel [:wenzel]]

I think the "sessionCheck check" does not set the HTTP response code correctly when receiving an incorrect sessioncheck ID. When I wrote the code, I tried putting incorrect values into the form and when the "add feature" code returns an error, the AJAX javascript honors this correctly, so I am quite sure the CSRF check is at fault here.

Comment 2

[Fred Wenzel [:wenzel]]

Attachment: Patch, rev. 1

Just closing out a few old bugs and this one is a one-liner.

Comment 3

[Fred Wenzel [:wenzel]]

r24391. Thanks!

Comment 4

[Stephen Donner [:stephend] Not actively reading bugmail]

Attachment: post-fix screenshot

Comment 5

[Stephen Donner [:stephend] Not actively reading bugmail]

As the screenshot in comment 4 shows, I get a status code/error of 400 returned.

Verified FIXED