Item2160: JHotDrawPlugin incompatible with 1.0.7 CSRF protection of attachments
Priority: Urgent
Current State: Closed
Released In:
Target Release: n/a
JHotDrawPlugin incompatible with 1.0.7 CSRF protection of attachments
Plugin cannot save unless you disable CSRF protection completely.
We need the plugin to be able to at least work with embedded type protection.
--
KennethLavrsen - 28 Sep 2009
Note that is must be possible to save multiple times from the applet during editing.
You cannot expect people to always save and quit. Saving while drawing is common as the program can crash.
That puts an extra challenge on implementation because it means the plugin must be given a new token after each save and continue.
--
KennethLavrsen - 28 Sep 2009
The reason is we added CSRF protection to upload requests, which
JHotDraw uses for saves. There are a couple of possible solutions:
- Compute the correct response in Java (should be fairly simple)
- Use a REST handler for saving these graphics.
--
CrawfordCurrie - 28 Sep 2009
I checked in my updates, but have only tested against trunk. Kenneth, I could really use some feedback. Already spent far too much time on this
If it works, then we have a general solution for Java applets + strikeone, which I will blog on.
--
CrawfordCurrie - 08 Oct 2009
You will have feedback within 48 hours.
Great that you took on this task.
--
KennethLavrsen - 08 Oct 2009
Tested
JHotDrawPlugin in 1.0.7
I cannot save. Java applet hangs during save. Cannot even exit without saving. Have to kill browser.
--
KennethLavrsen - 08 Oct 2009
Found root cause.
File does not exist: /var/www/Release01x00/core/pub/System/JHotDrawPlugin/jhotdraw.js
It seems we have a problem now with pseudo-installed extensions with compressed .js files. The compressed file is built with
BuildContrib but you do not run Build when testing.
When I manually just copy the jhotdraw_src.js to jhotdraw.js it works.
There is also some debug printing left that fills log with "JHotDraw saved Testdrawing"
The feedback during save has degraded. It says it is saving and appear to never finish. Before you got feedback "Saved ... OK". It is not until you hover the mouse over some bottons the Saving message changes.
The Exit dialog is a little too smart. If I edit a drawing and want to exit without saving neither "It is OK, I have saved" or "No don't exit yet" matches. It is rather confusing. Just "Yes, exit now", "No don't exit yet" will do.
--
KennethLavrsen - 08 Oct 2009
The lack of the compressed .js is really down to an expectation that a tester will run with FOSWIKI_ASSERT enabled. It will always be there in a release. It's not a big deal to add it to the repository. More importantly, you have highlighted something I knew, which is the Java will blindly continue even if there is no Javascript running. There needs to be a handshake.
The debug printing can be removed.
The feedback during save appears less because it is now only sending a single request to the server, instead of 3. I haven't put any effort into improving this (I was trying to get it working as a first step!)
You can never get the wording of this exit dialog quite right.
JHotDraw has no "something has changed" flag, though I'm sure one could be added by someone who has the time - or maybe 1.6 has that, I didn't look. So the dialog is always presented, even if you have nothing to save.
I'll take all these points into account when I next have a chance to work on it (or someone else with checkin rights is welcome to make the suggested changes).
--
CrawfordCurrie - 09 Oct 2009
I took a stab
- Removed the debug message
- Changed the "It is OK, I have saved" to "Yes, exit now"
- Added an additional message so the Saving .... is overwritten by Saved ... when all the saving is done. This way it does not look like anything is hanging. And if it was hanging we would see the Saving... forever.
With these changes I think we can release the new version so I do that.
--
KennethLavrsen - 13 Oct 2009
You missed adding jhotdraw.js to MANIFEST
--
CrawfordCurrie - 27 Oct 2009
Not sure where we stand with this, so marking for Kenneth's feedback, as he was the last one "doing stuff".
--
CrawfordCurrie - 08 Dec 2009
The last status was
- You fixed the plugin so it works on 1.0.7 and asked me to check it out
- I did the small additional fixes to the plugin
- I released the plugin to foswiki.org
- You found out that you had not added jhotdraw.js to the MANIFEST and blamed me for it
- You fixed the MANIFEST and uploaded the corrected plugin to foswiki.org
- You forgot to close this bug and blame me for it
But it OK. I can take it.
I am thankful for the fix you did to make it work with the CSRF protection. I could not have done that myself.
But all is well and has been since October 27th.
Closing bug.
--
KennethLavrsen - 09 Dec 2009