Hey,
To simplify life for some of my users, in the AdminCC notification message that is sent when a new ticket is created I include a link to take the ticket, i.e.:
https://rt/Ticket/Display.html?Action=Take;id=1234
This mostly works, except that the Possible cross-site request forgery message is displayed and the user needs to reload the page.
Is it possible to disable CSRF checking for specific actions, like take?
Cheers,
Andrew
Hi there
I had this issue as well having clickable links in a report - I fixed it by adding a HTML file with the below contents to $RT4_HOME/share/static - in this case I called it redirect.html:
<html>
<script type="text/javascript">
location.href='/Ticket/Display.html?id='+location.href.substring(location.href.indexOf('?')+1, 100);
</script>
</html>
Send your request to https://rt/static/redirect.html?1234 and it will side step the CSRF requirement and open the ticket.
To do what you seek, add Action=Take; to the URL in the above HTML file.
I’ve just tried this, but sadly it still blocks it with Possible cross-site request forgery.
I should add that I have the hostname for RT listed in ReferrerWhitelist, so this redirect should be coming from a whitelisted source.
I just gave it a try and it worked just fine:
# cat take.html
<html>
<script type="text/javascript">
location.href='/Ticket/Display.html?id='+location.href.substring(location.href.indexOf('?')+1, 100)+'&Action=Take';
</script>
</html>Ah ha, got it working. The HTML as both you and I gave worked, but in my Transaction template, I had to give the full URL, including the “.html” of the file for it work.
Another paper cut removed from my life. Thank you!