Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-1498

Plugin form submissions without a valid CSRF token cause missing file error

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Minor
        • Resolution: Won't Fix
        • Affects Version/s: None
        • Fix Version/s: 3.3.2
        • Component/s: Plugins
        • Labels:
          None

          Description

          When submitting a form from a plugin without a CSRF token set, the following error will be generated:
          Files does not exist: /path/to/plugins/PLUGIN/views/INTERFACE/bootstrap/message.pdt on line 120 in /path/to/lib/view.php

          PLUGIN being: order, support_manager, etc.
          INTERFACE being: admin, client

          This occurs because the plugin does not provide a message template. Instead, the plugin uses the core message template for displaying messages by setting $in_current_view to false in AppController::setMessage and AppController::flashMessage.

          Since AppController validates the CSRF token and generates a message, it is not aware that the call came from a plugin, and defaults $in_current_view to true.

          See http://www.blesta.com/forums/index.php?/topic/3448-error-when-displaying-missing-csrf-token-message/

            Activity

              People

              • Assignee:
                cody Cody Phillips (Inactive)
                Reporter:
                tyson Tyson Phillips (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/Nov/14