Closed DionKoolhaas closed 6 years ago
Hi @DionKoolhaas, thanks for posting your issue.
Can you please confirm if your using the 0.1.0 release of ckan-security or master?
We're currently looking in to a related issue: https://github.com/data-govt-nz/ckanext-security/issues/6
My understanding is that prior to this PR being merged : https://github.com/data-govt-nz/ckanext-security/pull/5/files The CSRF protection wasn't enabled.
Your best bet in the short term is probably going to be to disable the CSRF protection.
Hello @anotheredward , thanks for your quick reply!
We followed the wiki and used 0.0.1 version instead of 0.1.0:
pip install --process-dependency-links -e 'https://github.com/data-govt-nz/ckanext-security.git#egg=ckanext-security==0.0.1'
Maybe the wiki needs an update regarding this? We now use 0.1.0 and disabled CSRF protection. Thank you so far:)
Hi @DionKoolhaas , excuse my ignorance, could you please give me a link to the wiki you found instructions in so we can update them?
Hello @anotheredward, no problem. We used the README.md of this project (https://github.com/data-govt-nz/ckanext-security/blob/master/README.md#how-to-install)
We have a fix in the works for the CSRF issue, as a stop-gap I've updated the version in the readme pip install command to avoid this issue until the work is done: 79bd1f34b39cb28498a11063592f5ac7b42dfbd5
@DionKoolhaas A fix for the CSRF protection was just merged in to master. Would you be able to test it on your CKAN instance and see if it now works for you? Thanks :)
We installed CKAN version 2.6.4 together with this ckanext-security plugin. We followed the instructions on the wiki and it seems like much of CKAN is working fine. However, every POST (login, change language etc) gives a 403 response with the message:
Access was denied to this resource. CSRF authentication failed. Token missing or invalid.
We cannot figure out what the cause is. We tested it with Firefox and IE. Anyone seen this message before and know the solution?
Request headers:
Accept: text/html,application/xhtml+xm…plication/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.5 Connection: keep-alive Content-Length: 15 Content-Type: application/x-www-form-urlencoded Host: localhost:5000 Referer: http://localhost:5000/ Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linu…) Gecko/20100101 Firefox/59.0
Response Headers Content-Length: 210 Content-Type: text/html; charset=UTF-8 Date: Thu, 22 Mar 2018 14:10:39 GMT Server: PasteWSGIServer/0.5 Python/2.7.9 Set-Cookie: csrftoken=3f37fee27c3b34182a12…ost; Path=/; secure; HttpOnly Set-cookie: ckan_session=8b13a7a6e45e7f830…ost; httponly; Path=/; secure
Debug log 2018-03-22 15:48:54,490 INFO [ckan.lib.base] /api/i18n/en render time 0.007 seconds 2018-03-22 15:48:54,490 DEBUG [pylons.controllers.core] Calling Response object to return WSGI 2018-03-22 15:48:54,491 INFO [repoze.who] no challenge required 2018-03-22 15:48:54,491 INFO [repoze.who] -- repoze.who request ended (/api/i18n/en) -- 2018-03-22 15:49:06,967 DEBUG [paste.httpserver.ThreadPool] Added task (0 tasks queued) 2018-03-22 15:49:12,224 DEBUG [paste.httpserver.ThreadPool] Added task (0 tasks queued)