We're Hiring!

public URLs only work on new pages

General and open developer discussion about using OMERO APIs from C++, Java, Python, Matlab and more! Please new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

If you are having trouble with custom code, please provide a link to a public repository, ideally GitHub.

public URLs only work on new pages

Postby Manz » Wed Mar 15, 2017 3:44 am

I'm having the strangest problem.

I'm migrating from an old version to new OMERO, and have some customizations. The old version is working.

On my new version, I have some pages that are using the web public user. I have them in omero.web.public.url_filter. When I open to these pages on a new tab or refresh- they work without a login. When I refer from one page to another using POST forms I get

Forbidden (403)
CSRF Error. You don't have permission to access this page on this server.

I can then refresh that same page and it appears. I'm assuming the CSRF isn't following through the link but is being recreated via the public user on new page/refresh.

In the logs, I have this for the broken pages:

Code: Select all
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) wrapped():468 Connection not provided, attempting to get one.
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) get_authenticated_connection():367 Is SSL? False
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) get_authenticated_connection():369 Connector: <omeroweb.connector.Connector object at 0x5280ad0>
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) get_authenticated_connection():430 Django session connector: <omeroweb.connector.Connector object at 0x5280ad0>
2017-03-15 02:58:00,845 DEBUG [                           omero.gateway] (proc.22918) _resetOmeroClient():1918 localhost
2017-03-15 02:58:00,846 DEBUG [                           omero.gateway] (proc.22918) _resetOmeroClient():1919 4064
2017-03-15 02:58:00,846 DEBUG [                           omero.gateway] (proc.22918) _resetOmeroClient():1920 []
2017-03-15 02:58:00,849 DEBUG [                           omero.gateway] (proc.22918) connect():1960 Connect attempt, sUuid=askdjfhjahksdfhskadjfhsdka, group=None, self.sUuid=None
2017-03-15 02:58:00,849 DEBUG [                           omero.gateway] (proc.22918) connect():1970 connected? False



What am I missing?
Manz
 
Posts: 72
Joined: Wed Jun 29, 2011 11:48 pm

Re: public URLs only work on new pages

Postby atarkowska » Wed Mar 15, 2017 8:48 am

Hi

Any 'unsafe' HTTP operations, such as POST always require a valid CSRF token. http://www.openmicroscopy.org/site/supp ... /CSRF.html

Ola
atarkowska
 
Posts: 327
Joined: Mon May 18, 2009 12:44 pm

Re: public URLs only work on new pages

Postby Manz » Fri Mar 17, 2017 12:36 am

atarkowska wrote:Hi

Any 'unsafe' HTTP operations, such as POST always require a valid CSRF token. http://www.openmicroscopy.org/site/supp ... /CSRF.html

Ola



Even when using a web public user? This previously wasn't the case with OEMRO version 4.4?

These pages are listed in omero.web.public.url_filter
Manz
 
Posts: 72
Joined: Wed Jun 29, 2011 11:48 pm

Re: public URLs only work on new pages

Postby manics » Fri Mar 17, 2017 9:27 am

That's correct. CSRF is a potential security vulnerability which was fixed in OMERO 5: http://www.openmicroscopy.org/site/prod ... 4-SV3-csrf
User avatar
manics
Team Member
 
Posts: 261
Joined: Mon Oct 08, 2012 11:01 am
Location: Dundee

Re: public URLs only work on new pages

Postby Manz » Mon Mar 20, 2017 5:49 am

Would it be possible to get an example of a html form that goes from one public url page to another public url page?

Thanks,
A
Manz
 
Posts: 72
Joined: Wed Jun 29, 2011 11:48 pm

Re: public URLs only work on new pages

Postby wmoore » Mon Mar 20, 2017 9:06 am

Hi,

You need to include
Code: Select all
{% csrf_token %}
in your form. See https://docs.djangoproject.com/en/1.8/ref/csrf/

Regards,

Will.
User avatar
wmoore
Team Member
 
Posts: 674
Joined: Mon May 18, 2009 12:46 pm


Return to Developer Discussion

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

cron