Problem/Motivation

The entity.ultimate_cron_job.unlock route is not protected against CSRF attacks.

Steps to reproduce

As an user that can post content, add this HTML in a page:

<img src="http://example.com/admin/config/system/cron/jobs/ultimate_cron_queue_locale_translation/unlock">

As another user with the "run cron jobs" permission, display this page: the job is unlocked without any confirmation.

Proposed resolution

Add the _csrf_token: 'TRUE' requirement to this route.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork ultimate_cron-3507396

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

dhruv.mittal’s picture

dhruv.mittal commented
Assigned: Unassigned » dhruv.mittal

dhruv.mittal opened merge request !70

dhruv.mittal’s picture

dhruv.mittal commented
Assigned: dhruv.mittal » Unassigned
Status: Active » Needs review

Please review

berdir made their first commit to this issue’s fork.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Status: Needs review » Fixed

Works fine, thanks.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.