Closed Bug 947767 Opened 10 years ago Closed 10 years ago

When signed in, submitting feedback to firefox OS form returns 403 FORBIDDEN

Categories

(Input Graveyard :: Submission, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rrosario, Assigned: willkg)

Details

(Whiteboard: u=user c=submission p=1 s=input.2014q3)

I know this isn't a big deal since auth'd users shouldn't be submitting feedback, but I found it interesting. I was signed in to stage and testing the Firefox OS form (while taking screenshots) and when I went to submit feedback I got:

POST https://input.allizom.org/api/v1/feedback/ [HTTP/1.1 403 FORBIDDEN 257ms]
OS: Mac OS X → All
Hardware: x86 → All
I hit this semi-frequently locally with the Firefox OS feedback form but figured it was because 127.0.0.1:8000 gets used for all my development sites and I was mixing cookies. I don't think I've ever hit this with the normal feedback form.
Oh wait--you said you're testing that form. So you're totally hitting the same thing I am.

That uses the API and it's probably the case that if you're logged in, the API expects you to be sending CSRF token. I think there are a couple of options:

1. figure out how to disable CSRF for django-rest-framework things altogether
2. figure out how to not send cookies with the POST

Or something like that. I'll have to look into it more.
Bumping this to next quarter to look into.
Whiteboard: u=user c=submission p= s=input.2014q1
Moving this to 2014q2.

This is kind of annoying. I'd like to get it fixed.
Priority: -- → P2
Whiteboard: u=user c=submission p= s=input.2014q1 → u=user c=submission p= s=input.2014q2
Pushing this off one more quarter. I keep hitting it, but it only affects analysts and admin.
Whiteboard: u=user c=submission p= s=input.2014q2 → u=user c=submission p= s=input.2014q3
Should be fixed in https://github.com/mozilla/fjord/commit/6f78e2e

I'll verify this once I push it to a server.
Assignee: nobody → willkg
Whiteboard: u=user c=submission p= s=input.2014q3 → u=user c=submission p=1 s=input.2014q3
Verified it on stage. IT IS FIXED!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Input → Input Graveyard
You need to log in before you can comment on or make changes to this bug.