If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

CSRF verification failed (403) when admin editing a collection

RESOLVED WONTFIX

Status

addons.mozilla.org Graveyard
Collections
RESOLVED WONTFIX
7 years ago
2 years ago

People

(Reporter: jorgev, Unassigned)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Steps to reproduce:

1) Go to https://preview.addons.mozilla.org/en-US/firefox/collections/justin-scott-fligtar/ryf-apr-2010/edit/ using an admin account.
2) Click on Save Changes.

I get this:

Forbidden (403)

CSRF verification failed. Request aborted.

More information is available with DEBUG=True.

Dave Dash couldn't reproduce, though, so it might be related to my account or the specific server I'm using: pm-app-amo24.mozilla.org.
I see three form[method=post] and three form[method=post] input[name=csrfmiddlewaretoken].
I think Jeff is saying this works for him, and I can't reproduce it either.  Did you log out/in?
(Reporter)

Comment 3

7 years ago
I just tested in my default Firefox profile (4.0b4), where I was already logged in, and everything worked as expected.

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b4) Gecko/20100818 Firefox/4.0b4

Then I opened my test profile (3.6.8), logged in and was able to reproduce:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Logging out and logging back in didn't help.
(In reply to comment #3)
> Then I opened my test profile (3.6.8), logged in and was able to reproduce:

Does your csrftoken in that profile match what's embedded in the page?  Do you have cookies turned off?
(Reporter)

Comment 5

7 years ago
(In reply to comment #4) 
> Does your csrftoken in that profile match what's embedded in the page?

How can I check this?

>Do you have cookies turned off?

No.
(Reporter)

Comment 6

7 years ago
Created attachment 469512 [details]
Data captured by Tamper Data when submitting form
Attachment #469512 - Flags: feedback?(jbalogh)
CSRF is failing due to the strict referrer checking on https + your lacking a referer header.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
You also get http 403 forbidden when you try edit somebody else's profile.

STR:
1. log in as an admin
2. go to any user's profile page https://preview.addons.mozilla.org/en-US/firefox/user/167/
3. click on 'Manage User'

Actual result:
http 403 forbidden

Expected result:
Edit user profile page.
(In reply to comment #8)
> You also get http 403 forbidden when you try edit somebody else's profile.
> 
> STR:
> 1. log in as an admin
> 2. go to any user's profile page
> https://preview.addons.mozilla.org/en-US/firefox/user/167/
> 3. click on 'Manage User'
> 
> Actual result:
> http 403 forbidden
> 
> Expected result:
> Edit user profile page.

WFM; you sure you're an Admin?
(In reply to comment #9)
> (In reply to comment #8)
> > You also get http 403 forbidden when you try edit somebody else's profile.
> > 
> > STR:
> > 1. log in as an admin
> > 2. go to any user's profile page
> > https://preview.addons.mozilla.org/en-US/firefox/user/167/
> > 3. click on 'Manage User'
> > 
> > Actual result:
> > http 403 forbidden
> > 
> > Expected result:
> > Edit user profile page.
> 
> WFM; you sure you're an Admin?

Krupa figured it out. When you are admin on remora but not on Zamboni you get 403.

Comment 11

7 years ago
See bug https://bugzilla.mozilla.org/show_bug.cgi?id=583862 for comment 10

Updated

6 years ago
Attachment #469512 - Flags: feedback?(jbalogh)
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.