Apache Allura™

The new forge tools require javascript to POST any form (due to the current way we implement CRSF protection).

Login, logout, and viewing pages (including download) work without javscript.

• milestone: limbo --> forge-backlog

So, is our official position on this "wontfix", or is this a wait and see?

• labels: --> support, p3

Wait and see. I would like it to be changed and not require JS for all the development tool pages.

FWIW, I'm fairly certain the new 5 star review stuff is going to be wonky without JS. It hasn't been tested for non-JS support. Ditto for the new enterprise pages/designs. We probably need to huddle with Product, Engineering, and Community and make a decision about how whether JS needs to be a requirement.

Originally by: fabiankeil

While I can log in without JavaScript, the "log out" link is hidden. I can "view source" and c&p the "log out" URL into the address bar, but I wouldn't call this "working".

I hope that the POST issues will be fixed before the "new design" is forced on projects that don't enable it voluntary due to all the accessibility issues.

If security-conscious users are no longer supposed to be able to use SF, it would be great if this could be at least clearly documented.

Originally by: curaga

Please implement this. It's becoming important due to the force-upgrade of all SF projects to Allura.

Creating new tickets does not work without JS, or even on older browsers with JS. In both cases it redirects to the login page, which states that you're already logged in.

Originally by: *anonymous

FYI, curaga, there apparently is a list of projects that "wish to delay upgrade" so you might want to try getting your project added:
https://sourceforge.net/mailarchive/forum.php?thread_name=EA2D8E2DD8814F11A13F0C1672930640%40slashdotmedia.com&forum_name=ijbswa-developers

Due to the awesome interface you may have to "view source" to be able to read the complete message ...

Originally by: *anonymous

No idea why my previous message is declared "Anonymous" and "awaiting moderation".

I was logged in when I wrote it and it worked as expected on 2013-03-17.

We will consider working this into our development schedule, but as said, please contact SourceForge support to request an upgrade delay if this is very important to your project.

Originally by: kolpotoru

I have complain about sourceforge.net that with each new upgrade sourceforge.net is becoming worse i remember the good old days when pages look simple and there were direct download links to files which was much easier but now the pages are much bulkier takes lot time to load this is a big problem where internet speed is slow & new download system much complicated and difficult to download with download manager & many times refuses to download.

Now i am facing a this new problem that after logging in to sourceforge.net (in Firefox 3.6 which was released last year) whenever i try to post in some projects forum instead of posting my message sourceforge.net again asks me to login. I am unable to understand when i am already logged in how can i again login.

• summary: Provide non-javascript fallback behavior --> Move CSRF token insertion from JS to easywidgets
• Description has changed:

Diff:

--- old
+++ new
@@ -1,3 +1,5 @@
-Site functions should continue to work with Javascript disabled.
+Standard forms across on Allura have a `_session_id` field inserted by JS.  AJAX forms insert it themselves.  This is for CSRF protection.

-Ref: [forge:site-support:#2017]
+For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side.  The `ForgeForm` class seems like a useful place to do this.  Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template.  A one-line macro seems like a good way to handle that.
+
+AJAX forms can stay as-is, they use JS already anyway.

Majority of JS issues are with CSRF token being inserted with JS, so lets focus on that and do separate tickets for separate concerns.

• Labels: support, p3 --> p3, support, 42cc

• status: open --> in-progress

Created:

• #472: [#5475] Move CSRF token insertion from JS to easywidgets (2cp)
• #473: [#5475] Add csrf macro to all hand-coded forms (dep:472) (2cp)

• status: in-progress --> code-review

Closed #472, #473

je/42cc_5475

• QA: Dave Brondsema

• status: code-review --> in-progress

Can you remove it from GET forms (one example is ticket search box). It's not needed there (CSRF is just for POSTs which change state) and it clutters the URL in the resulting address bar pretty bad.

Please also check all usage of SimpleForm and see if you can find any where _session_id doesn't come through. I think those may be missing that hidden field, but in some quick testing I couldn't find one.

I did find one in our internal forge-classic repo, which demonstrates what can happen. I tried the following, which I think should work, but for some reason the value doesn't get rendered in the HTML.

--- sfx/widgets.py
+++ sfx/widgets.py
@@ -1,4 +1,5 @@
 from pylons import tmpl_context as c
+from tg import request
 import formencode
 from formencode import validators as fev
 from formencode import schema as fes
@@ -58,8 +59,12 @@ class _MailingListRow(ew.RowField):
 class ListAdmin(ew.SimpleForm):
     submit_text = 'Save'

-    class fields(ew_core.NameList):
-        lists = ew.TableField(field=_MailingListRow())
+    @property
+    def fields(self):
+        return [
+            ew.TableField(name='lists', field=_MailingListRow()),
+            ew.HiddenField(name='_session_id', value=request.cookies['_session_id']),
+        ]

• status: in-progress --> code-review

Closed #493. {allura,forge-classic}:je/42cc_5475 (allura force-pushed)