Disable CSRF for specific actions


To simplify life for some of my users, in the AdminCC notification message that is sent when a new ticket is created I include a link to take the ticket, i.e.:


This mostly works, except that the Possible cross-site request forgery message is displayed and the user needs to reload the page.

Is it possible to disable CSRF checking for specific actions, like take?


Hi there

I had this issue as well having clickable links in a report - I fixed it by adding a HTML file with the below contents to $RT4_HOME/share/static - in this case I called it redirect.html:

<script type="text/javascript">

location.href='/Ticket/Display.html?id='+location.href.substring(location.href.indexOf('?')+1, 100);


Send your request to https://rt/static/redirect.html?1234 and it will side step the CSRF requirement and open the ticket.

To do what you seek, add Action=Take; to the URL in the above HTML file.

I’ve just tried this, but sadly it still blocks it with Possible cross-site request forgery.

I should add that I have the hostname for RT listed in ReferrerWhitelist, so this redirect should be coming from a whitelisted source.

I just gave it a try and it worked just fine:

# cat take.html
<script type="text/javascript">

location.href='/Ticket/Display.html?id='+location.href.substring(location.href.indexOf('?')+1, 100)+'&Action=Take';


Ah ha, got it working. The HTML as both you and I gave worked, but in my Transaction template, I had to give the full URL, including the “.html” of the file for it work.

Another paper cut removed from my life. Thank you!