[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] indexer and csrf problem



Hi David,

the "Storage Manager" is now showing up with your quick fix.
Regarding the indexer, maybe there was an Edit Lock and I was too impatient :)
I see some messages about this issue in the indexer logfile.
Thanks for your support.

Regards
Werner


On 6/11/19 4:12 PM, Newman D.R. wrote:
> Hi Werner,
>
> Regarding the CSRF issue, you need to edit line 14 of:
>
> EPRINTS_PATH/lib/static/javascript/screen_admin_storagemanager.js
>
> and change it from:
>
> method: "post",
>
> to
>
> method: "get",
>
> I am not sure why this need to be a post rather than a get as it seems
> to work fine as a get.
>
> I will make sure that this patch is added to GitHub so that it becomes
> part of the next EPrints 3.4 release.
>
> Regards
>
> David Newman
>
>
>
>
> On Tue, 2019-06-11 at 14:42 +0100, David R Newman wrote:
>> Hi Werner,
>>
>> Regarding the indexer issue, the most likely reason is there is an
>> edit
>> lock on the EPrint record. ?This will happen if someone is editing
>> the
>> record. ?This could just be someone loading the edit page and then
>> never hitting either the "Cancel" or "Save and Return". ?If this is
>> the
>> case the task in the indexer will have a status of "Waiting". ?If it
>> has some other status then their may be another issue. ?Usually I
>> will
>> try setting the tasks status back to waiting (you need not change the
>> scheduled time for the task) and see if it succeeds next time it
>> tries
>> to run.
>>
>> Edit locks should only last a short-ish time and the indexer task
>> will
>> usually get rescheduled for ten minutes later and run without issue
>> if
>> no one has tried to start editing this record again. ?You can go the
>> Actions tab of the EPrint record and click on a button to remove the
>> edit lock if it somehow gets stuck.
>>
>> Regarding the CSRF issue, this is something that has only recently
>> been
>> added. ?It is intended to protect against Cross Site Request Forgery;
>> basically another site trying to submit some malicious request whilst
>> you are logged into EPrints. ?It looks like in the case of the
>> Storage
>> Manager this does not work as expected. ?I.e. it thinks something
>> malicious is going on, when it is not. ?I will take a look on my own
>> 3.4.1 instance and get back to you.
>>
>> Regards
>>
>> David Newman
>>
>>
>>
>> On Tue, 2019-06-11 at 15:23 +0200, Werner Hack via Eprints-tech
>> wrote:
>>> Hi all,
>>>
>>> I am new to eprints. I recently installed eprints 3.4.1.
>>> But I encountered some issues while testing the software.
>>> I hope you can help me.
>>>
>>> o If I want to deposit an article and put the item into the live
>>> repository,
>>>  ?? the indexer starts some jobs but they keep pending forever.
>>>  ?? Restarting the indexer has no effect.
>>>  ?? If I do a reindex with the epadmin command, everthing is ok and
>>> the pending
>>>  ?? jobs are resolved. Any idea what happens here? What can I do?
>>>
>>> o If I enter the "Storage Manager" as Admin in the Config Tools,
>>>  ?? I get the following error message:
>>>
>>>  ?? Cross-Site Request Forgery (CSRF) was detected whilst processing
>>>  ?? your last request and therefore its action was not authorised.
>>>
>>>  ?? Have I missed some configuration?
>>>  ?? Any hints are appreciated
>>>
>>> Thanks in advance
>>> Werner
>>>
>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint
>>> s-
>>> tech
>>> *** Archive: http://www.eprints.org/tech.php/
>>> *** EPrints community wiki: http://wiki.eprints.org/
>>> *** EPrints developers Forum: http://forum.eprints.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5308 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20190612/a7da8a05/attachment.bin