Hello everyone, In the php / twig / JS project you need to pass a couple of variables to csrf_token_name / csrf_token_hash to execute a POST request:

function save_bookmark_to_product() { var product_id= $("#hidden_bookmarks_to_product").val() var product_bookmark_info= $("#product_bookmark_info").val() var is_featured= $("#is_featured").is(':checked') var href= " base_url products/save_bookmark_to_product" jQuery.ajax({ url: href, type: 'POST', data: { product_id : product_id, info : product_bookmark_info, is_featured : ( is_featured ? 'Y' : 'N' ), logged_user_id : ' LoggedUserId ', csrf_token_name : ' csrf_token_hash ' }, dataType: 'json', success: function(result) { if (result.ErrorCode != 0) { alert( result.ErrorMessage ) } if (result.ErrorCode == 0) { location.reload(); } } }); } dataType: 'json', success: function(result) { if (result.ErrorCode != 0) { alert( result.ErrorMessage ) } if (result.ErrorCode == 0) { location.reload(); } } }); }

And in the source I see:

 function save_bookmark_to_product() { var product_id= $("#hidden_bookmarks_to_product").val() var product_bookmark_info= $("#product_bookmark_info").val() var is_featured= $("#is_featured").is(':checked') var href= "http://local-wprods.com/products/save_bookmark_to_product" jQuery.ajax({ url: href, type: 'POST', data: { product_id : product_id, info : product_bookmark_info, is_featured : ( is_featured ? 'Y' : 'N' ), logged_user_id : '1', csrf_test_name : '41033b3370643982ad5a33cc7e630a7d' }, dataType: 'json', success: function(result) { if (result.ErrorCode != 0) { alert( result.ErrorMessage ) } if (result.ErrorCode == 0) { location.reload(); } } }); }

The code above works fine.

But I want to put all the functions in a separate JS-file and get an error. In the twig file, I define: //

 var base_url= ' base_url ' var logged_user_id = ' LoggedUserId ' var csrf_token_name = ' csrf_token_name ' var csrf_token_hash= ' csrf_token_hash '

...

In a separate file.js with an error, these variables find:

  $(function() { ... alert( "frontend_app.jsbase_url:"+base_url + " logged_user_id::"+logged_user_id+" csrf_token_hash::"+csrf_token_hash) — ВЫВОДЯТСЯ ПРАВИЛЬНЫЕ ЗНАЧЕНИЯ fancyBoxInit() if ( parseInt(logged_user_id) > 0 ) { getCartSummary() } }); function save_bookmark_to_product() { var product_id= $("#hidden_bookmarks_to_product").val() var product_bookmark_info= $("#product_bookmark_info").val() var is_featured= $("#is_featured").is(':checked') var href= " base_url products/save_bookmark_to_product" alert( "csrf_token_hash::"+csrf_token_hash ) // ВЫВОДИТ csrf_token_hash::41033b3370643982ad5a33cc7e630a7d jQuery.ajax({ url: href, type: 'POST', data: { product_id : product_id, info : product_bookmark_info, is_featured : ( is_featured ? 'Y' : 'N' ), logged_user_id : logged_user_id, csrf_token_name : csrf_token_hash }, dataType: 'json', success: function(result) { if (result.ErrorCode != 0) { alert( result.ErrorMessage ) } if (result.ErrorCode == 0) { location.reload(); } } }); }

But I get a 403 error

 An Error Was Encountered The action you have requested is not allowed.

I do not understand why in the 2nd case a call from a separate file causes an error and what is the difference?

So:

 csrf_token_hash.toString()

Does not help ...

Thank!

The url is correct and the processing is processing correctly (data is added) if you disable csrf_protection in the config file

The problem starts if the js function save_bookmark_to_product is put into a separate js file

and the csrf_token_hash parameter — pass as an argument

alert( "csrf_token_hash::"+csrf_token_hash + " base_url::"+base_url ) —DETS CORRECT PARAMETERS

  jQuery.ajax({ url: href, type: 'POST', data: { product_id : product_id, info : product_bookmark_info, is_featured : ( is_featured ? 'Y' : 'N' ), logged_user_id : logged_user_id, csrf_token_name : csrf_token_hash }, dataType: 'json', success: function(result) { if (result.ErrorCode != 0) { alert( result.ErrorMessage ) -- получаю 403 ошибку } if (result.ErrorCode == 0) { location.reload(); }

As I wrote initially, if save_bookmark_to_product is located in a twig template

 function save_bookmark_to_product() { var product_id= $("#hidden_bookmarks_to_product").val() var product_bookmark_info= $("#product_bookmark_info").val() var is_featured= $("#is_featured").is(':checked') var href= " base_url products/save_bookmark_to_product" jQuery.ajax({ url: href, type: 'POST', data: { product_id : product_id, info : product_bookmark_info, is_featured : ( is_featured ? 'Y' : 'N' ), logged_user_id : ' LoggedUserId ', csrf_token_name : ' csrf_token_hash ' }, dataType: 'json', success: function(result) {

That works fine. But I wanted to put the js-function in a separate js-file and I do not understand why the error is in this case.

  • base_url, csrf_token_hash, csrf_token_name, csrf_token_hash from your server come normally? 403 Forbidden — the server understood the request, but it refuses to execute it because of restrictions on access for the client to the specified resource. Perhaps your url is incorrectly formed. Have you checked all the parameters come right? - Kostiantyn Okhotnyk
  • still found stackoverflow.com/questions/21214612/… - Kostiantyn Okhotnyk
  • This is what the request looks like in chrome imgur.com/a/ZR6Ed All parameters are in place and as I wrote that if you disable csrf protection in the config, then it works fine I load my latest frontend_app.js file: pastebin.com/TBtrMTK7 Maybe make the download as something else? - mstdmstd
  • perhaps you have incorrectly configured mod_rewrite - Kostiantyn Okhotnyk
  • one
    try setting $ config ['csrf_regenerate'] = TRUE; - Kostiantyn Okhotnyk

0