Project

General

Profile

Bug #8301

Dashboard Widgets may no longer need CSRF disabled

Added by Jim Pingle over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Dashboard
Target version:
Start date:
01/29/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All

Description

CSRF is deliberately disabled in some widgets stuch as traffic_graphs.widget.php but it's unclear if that is still necessary.

I removed the $nocsrf = true; line from traffic_graphs.widget.php and the widget is still functional and settings can still be saved.

We may need to test each widget individually and verify if any still have issues. The original commit disabling CSRF in widgets was 7 years ago and the dashboard has went through significant architecture changes since then.

Associated revisions

Revision 9ee5030e (diff)
Added by Jim Pingle over 1 year ago

Re-enable CSRF protection in traffic_graphs_widget.php. Ticket #8301

Revision fbcb1046 (diff)
Added by Jim Pingle over 1 year ago

Re-enable CSRF protection in traffic_graphs_widget.php. Ticket #8301

(cherry picked from commit 9ee5030eecc99dd1e7a747f23870663715dfc21f)

Revision ce7b40ce (diff)
Added by Stephen Jones over 1 year ago

Fixed #8301 CSRF Enabled on all widgets.

Enabled CSRF on all widgets.

History

#1 Updated by Steve Beaver over 1 year ago

  • Assignee changed from Steve Beaver to Anonymous

#2 Updated by Anonymous over 1 year ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

Every widget I've tried still works, it's been in snaps for two weeks and no other complaints, I'd say it's resolved.

#4 Updated by Jim Pingle over 1 year ago

  • Private changed from Yes to No

Also available in: Atom PDF