⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Add, edit buttons not working when enabling CodeIgniter CSRF



jrierab
  • profile picture
  • Member

Posted 25 March 2015 - 17:17 PM

When enabling CodeIgniter's internal CSRF protection with:

$config['csrf_protection'] = TRUE;

in config/config.php, then GC auto-generated action buttons (edit, view) and links (add) does not work anymore.

 

It seems that the CSRF token is not passed along in the Ajax calls (confirmed with Firebug). It is possible to use this feature with GC? 

 

BTW I'm using GC 1.5.0 and CI 2.2.0.

 


Amit Shah
  • profile picture
  • Member

Posted 29 March 2015 - 04:12 AM

It will be difficult to manage it with Ajax working in place because what happens is the CSRF token in reality changes with every request fetched. Now it being the ajax - the earlier token is with the page so when it gets back in processing - it will just be hung with old token and not new token. Hence it will always fail for the same.


jrierab
  • profile picture
  • Member

Posted 30 March 2015 - 08:20 AM

Mmm... The strange thing is that in this comment  (2013) John says:

 

"Actually after too maaaaany requests of implementing default CSRF of codeigniter in grocery CRUD, I actually implemented into grocery CRUD quietly without announcing it :-) (It is there at 1.3.3 as well)

So if you want to use the default codeigniter's CSRF protection you can use it in grocery CRUD WITHOUT changing anything in the main library."

 

So, the question is: Is CSRF-protection broken for GC 1.5.0 and CI 2.2.0? Was it removed? Or, more probably, I am missing something that should be done in my code?


jrierab
  • profile picture
  • Member

Posted 10 April 2015 - 15:36 PM

As a workaround set:

$config['grocery_crud_dialog_forms'] = false; 

in application/config/grocery_crud.php.

 

This option works well without CSRF protection enabled (that is, it can be set to true to produce more elegant forms), but fails when set if no code modifications are done in the javascript.

 

See my question/answer in StackOverflow for more details/options.