Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Professional Edition
-
None
-
Observium Professional 17.10.8879
Description
Attempting to delete a user does not work. The confirm page appears, but "Click to confirm" results in being redirected back to the edit user page with a pair of messages that both read:
WARNING. Possible CSRF attack with EMPTY request token.
The logs show this URL being requested:
clientIPremoved [06/Oct/2017:11:09:38 +0100] "GET /edituser/action=deleteuser/user_id=8/confirm=yes/ HTTP/1.1" 200 151653
Adding the /requesttoken=f08d0etcetcetc/ to the URL results in the user being deleted successfully.
Attachments
Activity
Ok, found.
Fixed in r8894.
But issue with contacts not confirmed (more describe for reproduce steps and create new issue if required).
From the user list, pick the user, then hit "Delete" (top right). This sends me to:
/edituser/action=deleteuser/user_id=5/requesttoken=f42419c4a8b8466fb9a7051babaffa17347e4db6bebba43blahblahblah558beb/
Click the "Click to confirm" link and it redirects you back to the edit user page, without the token, and gives a WARNING. Possible CSRF attack with EMPTY request token message at the top of the page.
Same issue here, when we remove a contact from Contacts page in Alerting section seems that everything works fine but contact is still there.
Mike will probably want to look at this, since I'm not quite sure how this should be done with the CSRF
Workaround:
After click to "Delete User", do not click to confirm just paste "confirm=yes/" (without quotes) before requesttoken=........ and after user_id=N/ to browser address bar.
Result should be something like this, then Enter
OBSERVIUM_URI/edituser/action=deleteuser/user_id=USER_ID/confirm=yes/requesttoken=GENERATED_TOKEN/
This will successfully delete user as Click to confirm url should do.