Comment 4 for bug 1007261
Revision history for this message
| Paul Sokolovsky (pfalcon) wrote Re: API key auth leads to 403 for write access | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
After investigation, I found that 403 Forbidden response is accompanied by:
Jun 4, 2012 10:59:52 AM hudson.
WARNING: No valid crumb was included in request for /jenkins/
And traced that to "Prevent Cross Site Request Forgery exploits" being activated on ci.linaro.org (and not on android-build). If it's disabled, mangle-jobs script works as expected. There's also "Enable proxy compatibility" sub-option, but activating it doesn't change the behavior. I.e., to workaround the issue, "Prevent Cross Site Request Forgery exploits" should be turned off while script is being run.
Now, for more sustained solution, further research should be made - for example, it's apparently the case that XSS protection token should not be required for API access, so requiring it is Jenkins bug, but that should be checked yet. Then, we should check if it still would be easy to add token to API calls as a workaround, or if it makes sense to turn off that option permanently.