[EP-tech] indexer and csrf problem

[Newman D.R.]

Hi Werner,

Regarding the CSRF issue, you need to edit line 14 of:

EPRINTS_PATH/lib/static/javascript/screen_admin_storagemanager.js

and change it from:

method: "post",

to

method: "get",

I am not sure why this need to be a post rather than a get as it seems
to work fine as a get.

I will make sure that this patch is added to GitHub so that it becomes
part of the next EPrints 3.4 release.

Regards

David Newman




On Tue, 2019-06-11 at 14:42 +0100, David R Newman wrote:
> Hi Werner,
>
> Regarding the indexer issue, the most likely reason is there is an
> edit
> lock on the EPrint record.  This will happen if someone is editing
> the
> record.  This could just be someone loading the edit page and then
> never hitting either the "Cancel" or "Save and Return".  If this is
> the
> case the task in the indexer will have a status of "Waiting".  If it
> has some other status then their may be another issue.  Usually I
> will
> try setting the tasks status back to waiting (you need not change the
> scheduled time for the task) and see if it succeeds next time it
> tries
> to run.
>
> Edit locks should only last a short-ish time and the indexer task
> will
> usually get rescheduled for ten minutes later and run without issue
> if
> no one has tried to start editing this record again.  You can go the
> Actions tab of the EPrint record and click on a button to remove the
> edit lock if it somehow gets stuck.
>
> Regarding the CSRF issue, this is something that has only recently
> been
> added.  It is intended to protect against Cross Site Request Forgery;
> basically another site trying to submit some malicious request whilst
> you are logged into EPrints.  It looks like in the case of the
> Storage
> Manager this does not work as expected.  I.e. it thinks something
> malicious is going on, when it is not.  I will take a look on my own
> 3.4.1 instance and get back to you.
>
> Regards
>
> David Newman
>
>
>
> On Tue, 2019-06-11 at 15:23 +0200, Werner Hack via Eprints-tech
> wrote:
> >
> > Hi all,
> >
> > I am new to eprints. I recently installed eprints 3.4.1.
> > But I encountered some issues while testing the software.
> > I hope you can help me.
> >
> > o If I want to deposit an article and put the item into the live
> > repository,
> >    the indexer starts some jobs but they keep pending forever.
> >    Restarting the indexer has no effect.
> >    If I do a reindex with the epadmin command, everthing is ok and
> > the pending
> >    jobs are resolved. Any idea what happens here? What can I do?
> >
> > o If I enter the "Storage Manager" as Admin in the Config Tools,
> >    I get the following error message:
> >
> >    Cross-Site Request Forgery (CSRF) was detected whilst processing
> >    your last request and therefore its action was not authorised.
> >
> >    Have I missed some configuration?
> >    Any hints are appreciated
> >
> > Thanks in advance
> > Werner
> >
> > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint
> > s-
> > tech
> > *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C89177e5044134030fa4a08d6ee76e07d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=4QXZGC6PJGKTcBmwCeXGLzCATbFJYAlfdY9svm%2Bvrmo%3D&reserved=0
> > *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C89177e5044134030fa4a08d6ee76e07d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hD0kplQhcC1ndRcS1yeYrWumT0pntlRzuxW9BwW2B%2Bk%3D&reserved=0
> > *** EPrints developers Forum: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fforum.eprints.org%2F&data=01%7C01%7C%7C89177e5044134030fa4a08d6ee76e07d%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=GWPVxGRs16ijLtT%2FdHe3Lbu0COQOg1WeWy6Y4VozVfs%3D&reserved=0