Bug #3583
Fix helpdesk csrf token handling
Status: | Resolved | Start date: | 04/11/2013 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | Kostas Papadimitriou | % Done: | 0% |
|
Category: | Cyclades Helpdesk | Spent time: | - | |
Target version: | 0.13.1 |
Description
Change helpdesk csrf context variable name to avoid conflict with django csrf middleware.
Helpdesk app uses token value stored within the astakos cookie, to identify if the user can access the views. In order to avoid csrf attacks the same value is sent in every helpdesk action POST request, mimicking django csrf token flow since csrf/session middlewares are not used by the cyclades app.
Django forces csrf context processor to be used even if it doesn't exist in TEMPLATE_CONTEXT_PROCESSORS setting. The processor overwrites csrf_token that helpdesk view pass to the template causing all helpdesk user actions to fail.
# django/template/core/context.py # We need the CSRF processor no matter what the user has in their settings, # because otherwise it is a security vulnerability, and we can't afford to leave # this to human error or failure to read migration instructions. _builtin_context_processors = ('django.core.context_processors.csrf',)