[rt-users] Creating Search Results Bookmark w/o CSRF Warning

Chris Hiestand chiestand at salk.edu
Wed May 30 15:14:32 EDT 2012


Thanks for the great reply!


On May 24, 2012, at 7:32 PM, Alex Vandiver wrote:

> On Thu, 2012-05-24 at 14:51 -0700, Chris Hiestand wrote:
>> Firstly, I think that in general, you do not need to worry much about
>> CSRF if the request method is GET.
> 
> Secondly, RT has historically not differentiated between GET parameters
> and POST parameters; it is quite possible to alter a ticket's status by
> appending a "&Status=resolved" to the appropriate URL.

Ah, that was my mistake. Are "write" GET parameters removed in RT 4?



More information about the rt-users mailing list