XWork action form token validation fails on orphan pages & homepages

Actions that use form token validation don’t work on Confluence home pages and orphan pages (pages that do not have a parent page).

As per the documentation here, XWork actions can use a “validatingStack” in order to validate form tokens, thus adding security against possible XSRF attacks.

Here’s an example of our the action is set up in the atlassian-plugin.xml:

<xwork key="scaffolding-actions" name="Scaffolding Actions">

    <package name="scaffolding" extends="default" namespace="/pages">

        <default-interceptor-ref name="validatingStack" />

        <action name="doeditscaffold" class="com.package.name.EditScaffoldContentAction" method="doEdit">
            <param name="RequireSecurityToken">true</param>

            <result name="error_forms" type="json" />
            <result name="input_forms" type="velocity">/test/action/editscaffold-forms.vm</result>
            <result name="success_forms" type="json" />
            <result name="error" type="velocity">/test/action/editscaffold.vm</result>
            <result name="input" type="json" />
            <result name="success" type="redirect">${@com.atlassian.confluence.util.GeneralUtil@getPageUrl(page)}</result>
            <result name="redirectToEdit" type="redirect">/pages/editpage.action?pageId=${pageId}</result>
        </action>
    </package>
</xwork>

Our action class extends from com.atlassian.confluence.pages.actions.EditPageAction.

However if the action executes on a homepage or orphan page, the following error is displayed “A page can not be set as its own parent.”.
xwork-action-error

This is a bit unexpected as the validation should support handling orphan and home pages appropriately, and should not throw this as an action error.

For now, we’ve had to implement our own workaround - however it would be nice if this could be addressed in the sdk somehow.

3 Likes