Thanks Willr!
We've moved the forum!
Please use forum.silverstripe.org for any new questions
(announcement).
The forum archive will stick around, but will be read only.
You can also use our Slack channel
or StackOverflow to ask for help.
Check out our community overview for more options to contribute.
- Previous 10 entries
- 1
- Page 22(current)
was having this problem too with a "file upload" area using "user forms"
with small files, all fine.
larger files caused CSRF ATTACK message.
updated the php.ini settings with:
upload_max_filesize = 20M TO upload_max_filesize = 50M
post_max_size = 20M TO post_max_size = 50M
ALSO
max_input_time = 120; (from 60)
max_execution_time = 120; (from 60)
All works fine now, no need to disable the security tokens
Form.php:
236. if(!$token->checkRequest($request))
237. $this->httpError(400, "Security token doesn't match, possible CSRF attack.");
Should at least nbe internationalized...
I did create a 400 ErrorPage in the CMS, but that doesn't work: the default RequestHandler::httpError() function just throws the actual error string, and doesn't retrieve the errorpage, only gives you the white screen... The httpError() function in the ContentController does, but that doesn't work for the Form class class. So I did:
237. $this->controller->httpError(400, "Security token doesn't match, possible CSRF attack.");
That works as long as the controller extends ContentController (Page_controller) which it normally does. If not, you could do this:
237. $response = ErrorPage::response_for(400);
238. throw new SS_HTTPResponse_Exception($response);
Simple test: temporarily replace
236. if(!$token->checkRequest($request))
by
236. if(!$token->checkRequest($request) || 1)
All this means hacking :-( - or extending the Form class...
In a custom Form class it's really simple :-)
class MyForm extends Form {
...
public function httpError($code, $message = null) {
$response = ErrorPage::response_for($code);
if (empty($response)) $response = $message;
throw new SS_HTTPResponse_Exception($response);
}
}
Will display 400 error page from the CMS...
martimiz - agreed, that message should really use the 400 (or whatever code is most relevant) error page from the CMS. Looks like you have got it working together well, do you want to submit the change as a pull request on github. I think it'll be worth getting into core.
Willr - yes, I think a pull request would be nice. But I'm not quite sure what should be patched:
1. the RequestHandler::httpError() method,
that doesn't use the ErrorPage (don't know if it should or if there might be other situations where it shouldn't?)
2. the actual check in the Form class,
that uses $this->httpError() and not $this->controller->httpError(); (would work only if the Form's controller allways extends ContentController
3. an extra Form::httpError() method?
Besides: since errorpages don't actually show the error message, wouldn't it be a good idea to at least show the actual errors on dev mode?
Oh - and I still haven't a clue how to do pull requests... :-[
- Previous 10 entries
- 1
- Page 22(current)