Jump to content

Resolved - Parallell editing of products (cubecart 6)


bos

Recommended Posts

In product list, I rightclick and open 10 products in new tabs to be able to edit them in parallell.

 

Editing the first item is fine. Editing the rest gives this message: "Security Alert: Possible Cross-Site Request Forgery (CSRF) or browser back button used." and my edits are gone.

This is no CSRF, whatever that means, and I really want the ability to edit in parallell, so how do I disable this check?

Link to comment
Share on other sites

This is a restriction in CC5/6. One used to be able to do this in CC3/4.

"Invalid Security Token" happens when CubeCart received submitted form details from a form that was other than just immediately prior fetched from CubeCart.

That is, CubeCart sends you the Orders List page. On this page, you have the browser open an Order Summary into a new browser tab. Then you have the browser open a different Order Summary into a third browser tab. The forms on each tab have the same security token.

When POSTing a form, CubeCart compares the latest generated security token with the hidden token value submitted with the form. If the same, then all is good. If a mismatch, CubeCart is supposed to ignore the form data submitted and show you the admin Dashboard with a warning.

Next, CubeCart generates another security token. This new, current token will no longer match any previously fetched form. Only pages fetched after the very latest form POSTed will have the new, current token.

How to disable? I haven't verified this will work, but in /classes/sanitize.class.php, at the end of the file, find:

static private function _stopToken() {

Add the word return; right after it:

static private function _stopToken() { return;

Just to be complete in my reply, adding the security token code to CubeCart was done for a reason. Bypassing this code (if it works) may have consequences.

Link to comment
Share on other sites

Thank you for explaining.

 

I'm aware that disabling it will most likely have consequences. However, my store is still in the making and unavailable to the public (noone even knows it exists, less where it is), so disabling it during this time will - hopefully - have no big impact.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...