947767 - When signed in, submitting feedback to firefox OS form returns 403 FORBIDDEN

Status: RESOLVED FIXED

(Input Graveyard :: Submission, defect, P2)

Description

[Ricky Rosario [:rrosario, :r1cky]]

I know this isn't a big deal since auth'd users shouldn't be submitting feedback, but I found it interesting. I was signed in to stage and testing the Firefox OS form (while taking screenshots) and when I went to submit feedback I got:

POST https://input.allizom.org/api/v1/feedback/ [HTTP/1.1 403 FORBIDDEN 257ms]

Comment 1

[Will Kahn-Greene [:willkg] ET needinfo? me]

I hit this semi-frequently locally with the Firefox OS feedback form but figured it was because 127.0.0.1:8000 gets used for all my development sites and I was mixing cookies. I don't think I've ever hit this with the normal feedback form.

Comment 2

[Will Kahn-Greene [:willkg] ET needinfo? me]

Oh wait--you said you're testing that form. So you're totally hitting the same thing I am.

That uses the API and it's probably the case that if you're logged in, the API expects you to be sending CSRF token. I think there are a couple of options:

1. figure out how to disable CSRF for django-rest-framework things altogether
2. figure out how to not send cookies with the POST

Or something like that. I'll have to look into it more.

Comment 3

[Will Kahn-Greene [:willkg] ET needinfo? me]

Bumping this to next quarter to look into.

Comment 4

[Will Kahn-Greene [:willkg] ET needinfo? me]

Moving this to 2014q2.

This is kind of annoying. I'd like to get it fixed.

Comment 5

[Will Kahn-Greene [:willkg] ET needinfo? me]

Pushing this off one more quarter. I keep hitting it, but it only affects analysts and admin.

Comment 6

[Will Kahn-Greene [:willkg] ET needinfo? me]

Should be fixed in https://github.com/mozilla/fjord/commit/6f78e2e

I'll verify this once I push it to a server.

Comment 7

[Will Kahn-Greene [:willkg] ET needinfo? me]

Verified it on stage. IT IS FIXED!