Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-84422

CSRF protection prevents "Reply as.." posting of comment with login

    Details

    • Fix Priority:
      3

      Description

      Steps to reproduce:

      1. Ensure SAML is disabled (it prevents guest commenting)
      2. Place the blogs portlet on a page
      3. Verify that the blogs portlet allows comments (should be by default)
      4. Log out and navigate back to the blogs page as guest user
      5. Enter some comment, and click "Reply as..."
      6. Enter the credentials of any valid user and press "Sign In"

       Expected result: You are signed in as the user and your comment is posted (with a success message)

       Actual result: The saving of the comment fails due to CSRF token validation, and consequently the page is not refreshed. A page refresh reveals you are in fact logged in.

      The underlying cause is that when logging into the portal, a new session is started with a new CSRF token. Because posting comments using "Reply as..." is done via client side JavaScript, the client side still has the old CSRF token.

      This means that in step 6 you will be able to reproduce the issue with using any SSO as well.

      Reproducible on 7.0.x: f8211117fec8ed50ad6b83a086d4b46bfbd60a8f

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  1 year, 17 weeks, 3 days ago

                  Packages

                  Version Package
                  7.1.X
                  Master