You are not logged in.
Pages: 1
I've edited the Helpdesk.php file to allow users to submit tickets, but after a number of changes, I keep getting the following error:
Title: GLPI - Access Denied
The action you have requested is not allowed. Reload previous page before doing action again.
It happens no matter what I do: refresh, or not refresh... signed in or not.
-- Hidden Inputs for _type and _auto_import are still there.
-- The PHP Include with the comment "Close form for CSRF" is present at the end.
-- Under Setup > General > Assistance, "Allow anonymous ticket creation" is set to Yes.
I've replaced my helpdesk form with the original French-language copy that came with GLPI, and the same error is present.
In includes.php, if I comment out the following, tickets go through, but obviously I don't want to keep running GLPI with Token checks off. (This does run on the public internet, but I have PHP masking all pages not from on-site.)
// No CSRF check if a plugin is not compliant
if (GLPI_USE_CSRF_CHECK
&& isset($_POST) && is_array($_POST) && count($_POST)
&& Plugin::isAllPluginsCSRFCompliant()) {
// No ajax pages
/* -- Commented Out this Part to get Tickets working again. ....
if (!preg_match(':'.$CFG_GLPI['root_doc'].'(/plugins/[^/]*|)/ajax/:', $_SERVER['REQUEST_URI'])) {
if (!Session::validateCSRF($_POST)) {
Html::displayErrorAndDie("The action you have requested is not allowed. Reload previous page before doing action again.", true);
}
}
.... End Comment out: Expected behavior- token reset, submitted as normal. */
}
// SET new global Token
$CURRENTCSRFTOKEN = '';
Last edited by uninventive (2012-10-04 21:24:39)
Offline
PEBKAC: PHP wasn't parsing because of a readfile statement instead of an include. OK to lock.
Offline
Pages: 1