CSFR token and file uploads

greaterebiz

How can I ensure the correct CSFR token is sent when using the editor file upload function. When I try to upload a file it is not working because I get a CSFR error as if no token is being sent.

greaterebiz

I found the answer after searching more of the excellent datatables online documentation. You can include custom header data, such as a the csfr token name and csfr hash value ajax data as shown below. In my case I am using a codeigniter based system so a php call the security class allows me to get current csfr hash.

<code>
var editor = new $.fn.dataTable.Editor({
ajax: {
url: '<?=base_url()?>cohokc_treasurer/admin/transactions/ajax/datatable',
headers: {
'csfr_token_name': '<?=$this->security->get_csrf_hash()?>'
},
type: 'POST',
data: function (d) {
}
},
...
</code>

greaterebiz

My fix listed in the previous comment does not fully work. The CSFR token does appear in the request header data but not in the request payload data (i.e. the POST data).

Still trying to figure out a way to make this work. It seems there needs a way to tell the Editor.upload function to include the csfr hash in the payload data but I do not see a way to do this without modifying the code and really don't want to do that.

allan

There is a way - the upload field type has an ajaxData option which can be used to provide additional information to the server:

ajaxData: function ( d ) {
  d.append( 'csfr_token_name', '<?=$this->security->get_csrf_hash()?>'
}

Allan