Re: [translate-pootle] Cannot review suggestions after CentOS update

[Cecilia A. <cec...@lu...>]

Hi Alaa,

Thanks for the suggestion, but it didn't work. I still got the same CSRF error when clicking the accept and reject buttons. However, looking at the Django sites listed below, I think the reason it didn't work is that your fix is for Django 1.2 and later only.

http://docs.djangoproject.com/en/1.1/ref/contrib/csrf/
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

Since I couldn't find any appropriate rpm packages for Django 1.2, I am unable at this point to update Django, and therefore applied the following (ugly) fix, and now I can review suggestions again.

In pootle/html/js/translatepage.js:
  /* Uncomment when using Django 1.2 or later */
  // if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
 //    // Only send the token to relative URLs i.e. locally.
  //   xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
 // }
  
  /* Uncomment when using Django 1.1 or earlier */
    if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
      // Only send the token to relative URLs i.e. locally.
      xhr.setRequestHeader("X-CSRFToken", $("#csrfmiddlewaretoken").val());
    }

Now I have to remember to change it back when I finally do upgrade Django... (>_<)
So if you can incorporate a more beautiful fix in the next Pootle release, that would be tremendously helpful. 

Maybe the following information can help you. With your CSRF fix in translatepage.js unchanged, the X-CSRFToken in the request header is null:
X-CSRFToken:null
X-Requested-With:XMLHttpRequest

The relevant code in Django corresponding to the script csrf.py mentioned in the other thread, seems for Django 1.1.4 to be django/contrib/csrf/middleware.py:

            csrf_token = _make_token(session_id)
            # check incoming token
            request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
            if request_csrf_token == "":
                # Fall back to X-CSRFToken, to make things easier for AJAX
                request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

            if request_csrf_token == "":
                return HttpResponseForbidden(_ERROR_MSG)

            if request_csrf_token != csrf_token:
                return HttpResponseForbidden(_ERROR_MSG)

Cecilia


-----Original Message-----
From: Alaa Abd El Fattah [mailto:al...@tr...] 
Sent: Tuesday, April 26, 2011 7:47 PM
To: Cecilia Albertsson
Cc: Tra...@li...
Subject: Re: [translate-pootle] Cannot review suggestions after CentOS update


Try upgrading to 2.1.6 which we just released, it fixed the CSRF issue.

cheers,
Alaa