Details
-
Bug
-
Resolution: Invalid
-
Medium
Description
For some reason, adding a user to a group, or adding a group to a user will not work.
When the /admin/groups/view?name=developers page first loads, there is a post to the following resource which fails:
"NetworkError: 403 Forbidden - https://mydomain.com:8083/rest/webResources/1.0/resources"
XSRF check failed
Then when I submit the form to add a user to the group, it fails with the same status (403) and message: XSRF check failed
The atl_token is not submitted with the ajax requests, even though it is submitted on other pages. Post data only contains:
#!json {"group":"developers","users":["bob"]}
Bitbucket v4.3.2
Tested on FireFox and Chrome
Requests are on:
https://mydomain.com:8083 (port open on firewall)
In the apache httpd.conf, we accept the request using a Comodo SSL certificate (works fine). We then forward the request to Bitbucket listening on port 7990
ProxyPreserveHost On ProxyRequests Off ProxyPass / http://localhost:7990/ ProxyPassReverse / http://localhost:7990/
Most of the other bitbucket admin pages work fine over https: sign in, saving server settings, etc. I confirmed that the browser is sending the HTTP referrer.
I am not sure why the "add user to group" page does not send the CSRF token. Even when I craft an ajax post with the token in the query string and/or the post data, it still gives a CSRF failure.