I'm sure I'm doing/not_doing something but for the life of me, can't find it.
I have an addon where vendor_multivendor.post.php permissions are true for the controller.
When I try to post the form, it's generating the csrf error message and redirecting to the vendor.php page.
In inspecting with the browser, it is not passing a security_hash in the request data. I'm not sure what JS triggers adding the security_hash to the POSTed data. I've double checked and I'm doing things the same way I have in countless other addons.
The form has a total of about 20 variables. The max_post_data is set to 150M and the max_input_vars is set to 10000.
I think I need a new set of eyes or suggestions on what to check. Getting brain-fuzzy at this point.