You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/09/03 18:38:00 UTC
[jira] [Commented] (AIRFLOW-2866) Missing CSRF Token Error on Web
RBAC UI Create/Update Operations
[ https://issues.apache.org/jira/browse/AIRFLOW-2866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602389#comment-16602389 ]
ASF GitHub Bot commented on AIRFLOW-2866:
-----------------------------------------
Fokko closed pull request #3804: [AIRFLOW-2866] Fix missing CSRF token header when using RBAC UI
URL: https://github.com/apache/incubator-airflow/pull/3804
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/www_rbac/static/js/clock.js b/airflow/www_rbac/static/js/base.js
similarity index 84%
rename from airflow/www_rbac/static/js/clock.js
rename to airflow/www_rbac/static/js/base.js
index afde7c2545..ea065792a5 100644
--- a/airflow/www_rbac/static/js/clock.js
+++ b/airflow/www_rbac/static/js/base.js
@@ -33,4 +33,11 @@ function displayTime() {
$(document).ready(function () {
displayTime();
$('span').tooltip();
+ $.ajaxSetup({
+ beforeSend: function(xhr, settings) {
+ if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
+ xhr.setRequestHeader("X-CSRFToken", csrfToken);
+ }
+ }
+ });
});
diff --git a/airflow/www_rbac/templates/appbuilder/baselayout.html b/airflow/www_rbac/templates/appbuilder/baselayout.html
index 1653a909d0..89e32cae78 100644
--- a/airflow/www_rbac/templates/appbuilder/baselayout.html
+++ b/airflow/www_rbac/templates/appbuilder/baselayout.html
@@ -67,9 +67,9 @@
{% block tail_js %}
{{ super() }}
<script type="text/javascript">
- // below variables are used in clock.js
+ // below variables are used in base.js
var hostName = '{{ hostname }}';
var csrfToken = '{{ csrf_token() }}';
</script>
-<script src="{{ url_for_asset('clock.js') }}" type="text/javascript"></script>
+<script src="{{ url_for_asset('base.js') }}" type="text/javascript"></script>
{% endblock %}
diff --git a/airflow/www_rbac/webpack.config.js b/airflow/www_rbac/webpack.config.js
index 29b99f408f..16f394cc61 100644
--- a/airflow/www_rbac/webpack.config.js
+++ b/airflow/www_rbac/webpack.config.js
@@ -35,7 +35,7 @@ const BUILD_DIR = path.resolve(__dirname, './static/dist');
const config = {
entry: {
connectionForm: `${STATIC_DIR}/js/connection_form.js`,
- clock: `${STATIC_DIR}/js/clock.js`,
+ base: `${STATIC_DIR}/js/base.js`,
graph: `${STATIC_DIR}/js/graph.js`,
ganttChartD3v2: `${STATIC_DIR}/js/gantt-chart-d3v2.js`,
main: `${STATIC_DIR}/css/main.css`,
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Missing CSRF Token Error on Web RBAC UI Create/Update Operations
> ----------------------------------------------------------------
>
> Key: AIRFLOW-2866
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2866
> Project: Apache Airflow
> Issue Type: Bug
> Components: webapp
> Reporter: Jasper Kahn
> Priority: Major
> Fix For: 1.10.1
>
>
> Attempting to modify or delete many resources (such as Connections or Users) results in a 400 from the webserver:
> {quote}{{Bad Request}}
> {{The CSRF session token is missing.}}{quote}
> Logs report:
> {quote}{{[2018-08-07 18:45:15,771] \{csrf.py:251} INFO - The CSRF session token is missing.}}
> {{192.168.9.1 - - [07/Aug/2018:18:45:15 +0000] "POST /admin/connection/delete/ HTTP/1.1" 400 150 "http://localhost:8081/admin/connection/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"}}{quote}
> Chrome dev tools show the CSRF token is present in the request payload.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)