XWiki 16.7.1 Realtime Collaborative Edition : almost perfect!

Hello,
I am glad to say I tested again the Realtime WYSIWYG collaborative edition feature, in XWiki 16.7.1 this time, and there is nothing blocking now. It is really nice!

Just this I met with, but it didn’t prevent anything to work while testing. I copy here the screenshot I took at that moment.

I haven’t retested on the LTS yet, but I’ll do that shortly.

Many thanks for your work.

3 Likes

Thanks a lot for testing the realtime editing! We want to enable it by default and this gives us confidence.

Do you remember how you got this? @MichaelHamann probably knows more about the cases where this warning message is shown. I think it’s caused by a missing CSRF token on the HTTP request, but AFAIK entering edit mode (both standalone and in-place) don’t require a CSRF token. @MichaelHamann WDYT about this?

It does, if the request contains things that modify the document (a template, a title, etc.). See xwiki-platform/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/EditAction.java at master · xwiki/xwiki-platform · GitHub.

Hello,
does it mean there is something we need to do on our server side, or does it mean there is something you have to do in the development process? (I understand the first, but I am unsure… )

Indeed, like when you arrive to edit mode from the Create Page step. But in this case the CSRF token is provided.

@jmarkoll when you get this warning message, how did you enter edit mode? If you enter from some custom UI (e.g. a custom edit link you add on some page) then you are responsible for adding the CSRF token to the URL. If you enter edit mode using some standard XWiki UI that you don’t control (was not created by you) then it’s probably a bug in XWiki, but we need to know what UI is this. So, how do you enter edit mode when this warning message is shown?

The XWiki installs have the vanilla theme.

When testing the Realtime collaborative mode I do the following:

  • I am logged in as admin

  • I open a private window in which I log in as another user (also admin… for this tests instance)

With User 1 I start a new page with a title in the sandbox, using the default blank template

In the Private Windows 1 I paste the link to the new page in edition

The yellow warning appears.

It vanishes once both user accounts start typing. (I think… I could give it again a try to be sure on that one).

This explains the problem. When you create a page you go from Create Page step to Edit mode. The Create Page step adds a special parameter to the Edit mode URL, form_token, whose value is a secret token, different for each user. This is used to prevent CSRF attacks. The edit URL you paste on the private window has this parameter, but its value is bound to the first user. When the edit action checks the validity of the secret token it sees that it doesn’t match the value bound to the second user, so you get the warning because the provided secret token is not valid. You can avoid the warning if U1 saves and then U2 simply edits the created page, or if U2 goes through the Create Step and inputs the same page name.

Hope this helps,
Marius

Hello @mflorea at first sight it seems somehow complicated. I’ll do more tests.