Details
Bug
Minor
Description
When submitting a form from a plugin without a CSRF token set, the following error will be generated:
Files does not exist: /path/to/plugins/PLUGIN/views/INTERFACE/bootstrap/message.pdt on line 120 in /path/to/lib/view.php
PLUGIN being: order, support_manager, etc.
INTERFACE being: admin, client
This occurs because the plugin does not provide a message template. Instead, the plugin uses the core message template for displaying messages by setting $in_current_view to false in AppController::setMessage and AppController::flashMessage.
Since AppController validates the CSRF token and generates a message, it is not aware that the call came from a plugin, and defaults $in_current_view to true.
See http://www.blesta.com/forums/index.php?/topic/3448-error-when-displaying-missing-csrf-token-message/
AppController knows it was a plugin and wants to use the plugin's message handler to display the CSRF message, but because this happens outside of the plugin's controller, the fact that the plugin told the system not to use it's views is irrelevant.
The solution here is to either:
a. Don't try to process forms without CSRF (it's a bad idea anyway)
b. Explicitly exclude your controller/action from CSRF checks in the /config/blesta.php config
c. Create a message view file to handle the error in the plugin.