Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Google Sign In with OpenID

Form App Issue

edited July 2012 in Apps Isolated form view page only:

For some reason, that form can ONLY be submitted if you are an admin user... even though it appears to be correctly posting the data. No idea what's going on. Tried disabling CSRF even. Any ideas?


  • Also, it seems it only work if logged in as admin on a page where it is a dynamic widget. Doesn't work if it is just the form page.

    This is weird...

  • Just checked my other sites using the form app... this is effecting all of them apparently.

  • edited July 2012

    Disabling CSRF at the app level didn't work, however when I did so at the lib/Form.php it fixed the issue.

    So... CSRF is busted, I think I already actually knew that because I have had to disable it on every other form I've used on most of my projects. I'll have to take a look and see what's up with it.

  • Is there any JavaScript console output showing on the page? Elefant appends a tiny script that injects the CSRF token into the form dynamically like this:

    <script>$(function(){$("form").append("<input type='hidden' name='_token_' value='TOKEN_VALUE'/>");});</script>

    On submit, the form receives an extra _token_ parameter that it can compare to one stored in the session data. Maybe it's not adding it to the right form element, or maybe it's not getting added to the page at all?

  • edited July 2012

    Nothing in the console.

    I see this in my page:

     <script>$(function(){$("form").append("<input type='hidden' name='_token_' value='cacb9b92df728d3e8b09a5e43f3bf87a'/>");});</script>

    This is getting appended to the form:

     <input type="hidden" name="_token_" value="cacb9b92df728d3e8b09a5e43f3bf87a">

    Still doesn't process on submit correctly.

  • Since disabling csrf checking fixed it, it's most likely in the verify_csrf() Form method. This does the following:

    1. Check for the existence of $_SESSION['csrf_token'] and $_SESSION['csrf_expires']. If this doesn't pass, then the form was submitted from an external source, or there was an issue with initializing the session in initialize_csrf().

    2. Determines whether to use $_GET or $_POST by checking $this->method. The method value is made lowercase in the contructor, so this should be fine.

    3. If the token field is not set, returns false.

    4. If the token value doesn't match the one in $_SESSION['csrf_token'], returns false.

    5. If the $_SESSION['csrf_expires'] value has expired, returns false.

    I'd try printing everything at the top of the method and seeing what it outputs:

    var_dump ($_SESSION);
    var_dump ($_POST);

    If you have multiple forms open in separate tabs, this could cause the verification to fail (limitation of storing only one token at a time in $_SESSION['csrf_token']), but that's probably not the issue here.

    It could also be missing a session_start(), in which case the $_SESSION values will be missing. That may be the most likely thing.

Sign In or Register to comment.