Csrf On Post Failure

I'm sure I'm doing/not_doing something but for the life of me, can't find it.

I have an addon where vendor_multivendor.post.php permissions are true for the controller.

When I try to post the form, it's generating the csrf error message and redirecting to the vendor.php page.

In inspecting with the browser, it is not passing a security_hash in the request data. I'm not sure what JS triggers adding the security_hash to the POSTed data. I've double checked and I'm doing things the same way I have in countless other addons.

The form has a total of about 20 variables. The max_post_data is set to 150M and the max_input_vars is set to 10000.

I think I need a new set of eyes or suggestions on what to check. Getting brain-fuzzy at this point.

I'm sure I'm doing/not_doing something but for the life of me, can't find it.

I have an addon where vendor_multivendor.post.php permissions are true for the controller.

When I try to post the form, it's generating the csrf error message and redirecting to the vendor.php page.

In inspecting with the browser, it is not passing a security_hash in the request data. I'm not sure what JS triggers adding the security_hash to the POSTed data. I've double checked and I'm doing things the same way I have in countless other addons.

The form has a total of about 20 variables. The max_post_data is set to 150M and the max_input_vars is set to 10000.

I think I need a new set of eyes or suggestions on what to check. Getting brain-fuzzy at this point.

There are only a few things I can think of:

1. Make sure the form close is *exactly* as follows. Any spacing will cause it to behave incorrectly.


2. Check if the schema is actually included and if it returns itself.

It's hard to help blindly as it is working perfectly fine for me, so sharing a few more details as to what you are doing would be of great help.

Form tag is as above.

Schema is being read. I get access to the controller as Vendor. If it wasn't, I'd be denied (vendor_multivendor.post.php).

Here's the code and it's the same model I use on many other addons. That's why I'm kind of stumped.

Sorry but the 'paste' removes tabs....

{capture name="mainbox"}
{capture name="tabsbox"}

{include file="common/subheader.tpl" title="{__("ez_pos_settings")}: General"}
Test General Setting Name
{foreach from=$warehouses key="warehouse_id" item="name"}
{include file="common/subheader.tpl" title=__("ez_pos_settings")|cat:": ":$name} {foreach from=$pos_settings.$warehouse_id item="setting_data"} {*
setting_data:{$setting_data|print_r:true}
*} {$tooltip = __($setting_data.tooltip)} {if $tooltip|strpos:'_' === 0 } {$tooltip = $setting_data.tooltip} {/if}
{__($setting_data.setting_name)}: 
{if $tooltip} {include file="common/tooltip.tpl" tooltip=$tooltip} {/if}
{/foreach}
{/foreach} {/capture} {** tabsbox **}

{capture name=“buttons”}
{include file=“buttons/save.tpl”
but_name=“dispatch[ez_pos_settings.manage]”
but_role=“submit-link”
but_target_form=“ez_pos_settings_form”
}
{/capture} {** buttons }
{include file=“common/tabsbox.tpl” content=$smarty.capture.tabsbox group_name=$runtime.controller active_tab=$selected_section track=true}
{/capture} {
mainbox **}

{include file=“common/mainbox.tpl”
title=__(‘ez_pos_settings’)
content=$smarty.capture.mainbox
buttons=$smarty.capture.buttons
adv_buttons=$smarty.capture.adv_buttons
}

The form closing tag is not in the correct place. It should be in the tabsbox capture.

Hmm, I see what you mean. Seems like the proper place to put the opening form tag would be above the first capture. I'll give it a try both ways and see what happens.

Always good to have new eyes! Thanks.

Hmm, I see what you mean. Seems like the proper place to put the opening form tag would be above the first capture. I'll give it a try both ways and see what happens.

Always good to have new eyes! Thanks.

Reason this causes an issue is that the input for the security_hash will get shifted. Because the browser assumes the element is corrupted, it will force close the 'form' before the location of this input, meaning that the input will not be contained in the form. Therefore, its not sent in the request and you get this error ;)

You can verify this by checking if the form contains the 'security_hash' input using 'inspect element'.

Appreciate your help. Will try to test it later today.