developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#828 closed task (wontfix)

formurlparam and __JFORMS_TOKEN__

Reported by: foxmask Owned by:
Priority: normal Milestone:
Component: jelix:plugins:tpl Version: 1.1RC3
Severity: normal Keywords:
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

this code

{formurlparam 'module~controller:action'}

should add the hidden JFORMS_TOKEN with the other hidden input

<input type="hidden" name="action" value="controller:action"/>

actually we dont have this hidden input like with {form $form...}

Change History (6)

comment:1 Changed 11 years ago by bballizlife

But the jtpl plugin {formurlparam} is to use when you do not use jForms. So, according to me, this has nothing to deal with JFORMS_TOKEN.

comment:2 Changed 11 years ago by foxmask

agree

but shouldnt we provide a feature like JFORMS_TOKEN for jTpl ?

comment:3 Changed 11 years ago by bballizlife

It's not about just providing an enhancement of a jtpl plugin, this means having everything to deal with the fonctionnality : generating the token in session, being able to check it when the form is submitted,...

So why not but we will have to provide all the necessary stuff around the fonctionality.

comment:4 Changed 11 years ago by foxmask

  • Milestone changed from jelix 1.1 to Jelix 1.2

comment:5 Changed 11 years ago by laurentj

  • Component changed from jelix:forms to jelix:plugins:tpl
  • Milestone Jelix 1.2 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I think Jelix is big enough. If you want CSRF features, use jforms.

comment:6 Changed 11 years ago by foxmask

The matter is not what i want but if you say that to secure our app we have to use jforms then i am afraid that the jacl2admin is exposed to this kind of things as you didnt use jforms too Now as it is your requirements i will try again to use jforms but i still spent 3days to integrate a form that manages the rights access for one forum and that was so complicate that i decided to use the shortcut formurl like you did for jacl2admin module

Now il undersrand that this feature is too heavy to be implemented in jtpl.

Note: See TracTickets for help on using tickets.