Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
This is a regression that came about because of our RBAC work. Users of new teams can't unpause their first pipelines, they get 403 errors.
Steps to Repro
@pivotal-jwinters I would really like to better understand the choice to store CSRF tokens in browser localStorage. The cause of this issue is that during the fly browser login flow, the following happens:
Thus the CSRF token doesn't end up saved in localStorage like it would in the web login flow, and so if you keep using that browser to access the web UI, you will get 401s for CSRF violations on any state-changing action (like unpausing a pipeline).
For the time being, I plan to change the last step so that fly will instead redirect the browser to
@jama-pivotal a note about acceptance - right after you hit 'login' after typing in your username and password, you may need to do a (cacheless) hard-refresh on the 'success' page (the one with url
This is mostly of concern if you perform the test on a browser that has cached this file before -- there's a very long cache policy on stuff under
(tl;dr - I noticed you reproducing this issue using incognito mode, which might be enough to avoid this caching hiccup)