未注册的操作（通过自定义模块）导致XSRF Attack Detected错误 [英] Unregistered action (via custom module) leads to XSRF Attack Detected error

问题描述

在SugarCRM 8.0.1中，我试图使一个未注册的新动作生效。

In SugarCRM 8.0.1, I am trying to make a new, unregistered action work.

该动作是一种表单，已添加到我的自定义模块中。我正在尝试通过以下方式从自身获取信息，以便在提交表单时，将表单数据发送回自身（又名 action 链接返回到表单在同一页面上）

The action is a form and has been added to my custom module. I am trying to reach it from itself in the following manner so that on form submission, the form-data is sent back to itself (aka, the action link leads back to the same page the form is on):

<form method="POST" name="ConfigureSettings" action="#bwc/index.php?module=CustomModule&action=newAction">

基于 SugarCRM支持的跨站点伪造消息疑难解答 ，添加其他操作的方式如下：

Based on SugarCRM Support's Troubleshooting Cross-Site Forgery Messages, the way to add an additional action is as follows:

要将未注册的操作添加为允许的操作（例如，自定义
模块），请将以下代码行添加到 config_override.php
文件：

$sugar_config['http_referer']['actions'] =array( 'index', 'ListView', 'DetailView', 'EditView', 'oauth', 'authorize', 'Authenticate', 'Login', 'SupportPortal', 'bad_action' );

单独执行此操作无效，并尝试保存我的更改或取消编辑我的表单仍会导致相同的错误：

Doing this alone does not work, and trying to save my changes or cancel editing my form will still lead to the same error:

Cross Site Request Forgery (XSRF) Attack Detected
Form authentication failure (CustomModule -> newAction). Contact your administrator.

在 $ sugar_config 使其与我的特定操作相关？我尝试将 bad_action 更改为 newAction ，但无济于事。

Is there something I have to edit in the $sugar_config to relate it to my specific action? I tried changing bad_action to newAction, but to no avail.

找到了变通方法此处，该日志只会记录错误，而不是中止操作，这证明我的表单可以正常工作，在该表单中，我被带回到同一页面并且表单已更新。

Found a workaround here which will just log the error rather than abort the action, and it proves that my form is working correctly in which I am led back to the same page and the form has been updated.

不幸的是，这并不是解决我的问题的方法，因为这对于生产实例来说是不安全的，而且我仍然不确定为什么首先会出现错误，因为我没有重定向到实例之外的网站。

Unfortunately, this is not a solution to my problem because this is unsafe for a production instance, and I am still not sure why I'm getting the error in the first place as I am not redirecting to a site outside of the instance.

推荐答案

结果是，需要使用Template文件和Smarty标签替换HTML表单的实例，从而将HTML表单与PHP文件分开。 PHP在模板文件中。

Turns out that the HTML form needs to be separated from the PHP file by using a Template file and Smarty tags to replace the instances of PHP in the Template file.

进行了上述操作，然后包括了 {sugar_csrf_form_token} https://community.sugarcrm.com/community / developer / blog / 2015/12/01 / csrf-tokens-in-sugar-77 rel = nofollow noreferrer>此处位于模板文件中，并且现在可以正常使用。

Did the above, then included the {sugar_csrf_form_token} mentioned here in the Template file, and its working correctly now.

这篇关于未注册的操作（通过自定义模块）导致XSRF Attack Detected错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！