El 27/10/22 a las 5:48, Mark Sapiro escribió:
On 10/26/22 04:33, Guillermo Hernandez (Oldno7) via Mailman-users wrote:
I did it via pip and all seems to be working, but when I try to discard or accept any message via postorius it shows a Forbidden 403 error CSRF verification failed.
In my settings.py I have commented out these variables:
# Other security settings # SECURE_SSL_REDIRECT = True # If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT # contains at least this line: # SECURE_REDIRECT_EXEMPT = [ # "archives/api/mailman/.*", # Request from Mailman. # ] # SESSION_COOKIE_SECURE = True # SECURE_CONTENT_TYPE_NOSNIFF = True # SECURE_BROWSER_XSS_FILTER = True # CSRF_COOKIE_SECURE = True # CSRF_COOKIE_HTTPONLY = True # X_FRAME_OPTIONS = 'DENY'
I've been messing with them whith no results. It's like it lacked some value in some template...
It's not an issue with the code per se or the templates. These updates are all installed on mail.python.org and lists.mailman3.org and are working fine.
After upgrading did you run
django-admin collectstatic --clear django-admin compress django admin migrate
Since I made all the mailman3 enviroment wide server open (not using venv) I already executed the migration doing a
su -m mailman3 -c "python3 manage.py collectstatic" su -m mailman3 -c "python3 manage.py migrate"
Being mailman3 the user who runs all of mailman3 related stuff
I had problems doing the migrate part, showing an error of lacking perms. I solved it running the migration under root (I know it could be trouble after, but...)
After that the compress part showed errors... but the postorius web maintenance was working well except for the CSRF error verification. I will trace the compress errors and will try to find the problem later.
With your point to the CSRF_TRUSTED_ORIGINS parameter, I can now do the accept or discard part of a receiving message to the lists (I put below the config that is working for me).
All seems to be working now flawlessly.
Thanks once again for your guidance.
############ SESSION_COOKIE_SECURE = True SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True CSRF_COOKIE_SECURE = True CSRF_COOKIE_HTTPONLY = True X_FRAME_OPTIONS = 'DENY' # CSRF_TRUSTED_ORIGINS = [ "https://*.mydomain-example.xxx", "https://mydomain-example", "https://mydomain", ] ############
If you have and it doesn't help, you probably need to add CSRF_TRUSTED_ORIGINS to your settings.py.
See https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins and note the differences between Django <4.0 and >=4.0.
--
Mailman's content filtering has removed the following MIME parts from this message.
Content-Type: image/png Name: firma-GHP-emails.png
Replaced multipart/alternative part with first alternative.