Open Microscopy Environment

The OME community
https://www.openmicroscopy.org/community/

public URLs only work on new pages

https://www.openmicroscopy.org/community/viewtopic.php?f=6&t=8241

Page 1 of 1

public URLs only work on new pages

PostPosted: Wed Mar 15, 2017 3:44 am
by Manz
I'm having the strangest problem.

I'm migrating from an old version to new OMERO, and have some customizations. The old version is working.

On my new version, I have some pages that are using the web public user. I have them in omero.web.public.url_filter. When I open to these pages on a new tab or refresh- they work without a login. When I refer from one page to another using POST forms I get

Forbidden (403)
CSRF Error. You don't have permission to access this page on this server.

I can then refresh that same page and it appears. I'm assuming the CSRF isn't following through the link but is being recreated via the public user on new page/refresh.

In the logs, I have this for the broken pages:

Code: Select all
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) wrapped():468 Connection not provided, attempting to get one.
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) get_authenticated_connection():367 Is SSL? False
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) get_authenticated_connection():369 Connector: <omeroweb.connector.Connector object at 0x5280ad0>
2017-03-15 02:58:00,845 DEBUG [                     omeroweb.decorators] (proc.22918) get_authenticated_connection():430 Django session connector: <omeroweb.connector.Connector object at 0x5280ad0>
2017-03-15 02:58:00,845 DEBUG [                           omero.gateway] (proc.22918) _resetOmeroClient():1918 localhost
2017-03-15 02:58:00,846 DEBUG [                           omero.gateway] (proc.22918) _resetOmeroClient():1919 4064
2017-03-15 02:58:00,846 DEBUG [                           omero.gateway] (proc.22918) _resetOmeroClient():1920 []
2017-03-15 02:58:00,849 DEBUG [                           omero.gateway] (proc.22918) connect():1960 Connect attempt, sUuid=askdjfhjahksdfhskadjfhsdka, group=None, self.sUuid=None
2017-03-15 02:58:00,849 DEBUG [                           omero.gateway] (proc.22918) connect():1970 connected? False



What am I missing?

Re: public URLs only work on new pages

PostPosted: Wed Mar 15, 2017 8:48 am
by atarkowska
Hi

Any 'unsafe' HTTP operations, such as POST always require a valid CSRF token. http://www.openmicroscopy.org/site/supp ... /CSRF.html

Ola

Re: public URLs only work on new pages

PostPosted: Fri Mar 17, 2017 12:36 am
by Manz
atarkowska wrote:Hi

Any 'unsafe' HTTP operations, such as POST always require a valid CSRF token. http://www.openmicroscopy.org/site/supp ... /CSRF.html

Ola



Even when using a web public user? This previously wasn't the case with OEMRO version 4.4?

These pages are listed in omero.web.public.url_filter

Re: public URLs only work on new pages

PostPosted: Fri Mar 17, 2017 9:27 am
by manics
That's correct. CSRF is a potential security vulnerability which was fixed in OMERO 5: http://www.openmicroscopy.org/site/prod ... 4-SV3-csrf

Re: public URLs only work on new pages

PostPosted: Mon Mar 20, 2017 5:49 am
by Manz
Would it be possible to get an example of a html form that goes from one public url page to another public url page?

Thanks,
A

Re: public URLs only work on new pages

PostPosted: Mon Mar 20, 2017 9:06 am
by wmoore
Hi,

You need to include
Code: Select all
{% csrf_token %}
in your form. See https://docs.djangoproject.com/en/1.8/ref/csrf/

Regards,

Will.
All times are UTC
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/