@@ -106,7 +106,7 @@ utils.anti_csrf_nonce() and is put in a database to be
106106retreived if the token is used. Token lifetimes are 2 weeks
107107by default but can be configured in config.ini. Roundup will
108108automatically prune old tokens. Calling anti_csrf_nonce with
109- an integer lifetime, for example
109+ an integer lifetime, for example:
110110
111111 <input name="@csrf" type="hidden"
112112 tal:attributes="value python:utils.anti_csrf_nonce(lifetime=10)">
@@ -153,6 +153,27 @@ usually occurs because the form uses the standard context/submit
153153element but you also added an explicit @csrf statement. Simply remove
154154the @csrf element for that form.
155155
156+ Errors and Troubleshooting - xmlrpc Required Header Missing
157+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
158+ When performing and xmlrpc call, if you see something like:
159+
160+ xmlrpclib.Fault: <Fault 1: "<class
161+ 'roundup.exceptions.UsageError'>:Required Header Missing">
162+
163+ change the setting of csrf_enforce_header_x-requested-with in
164+ config.ini to no. So it looks like:
165+
166+ csrf_enforce_header_x-requested-with = no
167+
168+ Alternatively change your xmlrpc client to add appropriate headers to
169+ the request including the:
170+
171+ X-Requested-With:
172+
173+ header as well as any other required csrf headers (e.g. referer, origin)
174+ configured in config.ini. See the advanced python client at the end of
175+ the `xmlrpc guide`_.
176+
156177Support for SameSite cookie option for session cookie
157178-----------------------------------------------------
158179
@@ -2489,3 +2510,4 @@ copy.
24892510.. _`customisation documentation`: customizing.html
24902511.. _`security documentation`: security.html
24912512.. _`administration guide`: admin_guide.html
2513+ .. _`xmlrpc guide`: xmlrpc.html
0 commit comments