X-Cart forums

[ajeetsingh]

Hello, I am X-Cart developer from Webkul Software Private Limited, UP, INDIA.
I have an issue in process of ajax calling in admin area on a page.
like: I had created a page with a button at admin area, I want to call a ajax request to click on that button. But when i click on that button to call a function which was already written in the same controller file but an error notice has occurs like below:
"The form could not be identified as a form generated by X-Cart. The reason may be that a substantial period of time has elapsed since you opened the page with this form or the page was opened in more than one browser tab. If you did not open the page with this form, you might be under a CSRF attack."
So can anyone Please help me.
My code are below:
1. In controller File the action is as below.

PHP Code:

/**
* Export action
*
* @return void
*/
protected function doActionSaveDemo(){
   $tpId = \XLite\Core\Request::getInstance()->nIds;
   echo 'tpId : '.$tpId;
} 


2. Ajax request is as below:

PHP Code:

function xyz(idss){
   core.post(
   URLHandler.buildURL({target: 'number_demos', action: 'savedemo'}),
   function(XMLHttpRequest, textStatus, data, valid) {
     if (valid && data) {
         console.log(data);
      }else{
            console.log('Not valid');
     }
   },
   { nIds: idss }
 );    

} 


Here number_demos is the controller which class is NumberDemos

[qualiteam]

The buildURL function doesn't add the form_id parameter that protects backend forms and links from hijacking.

When is your function called? Is there a link or a form on the page that you want to follow/submit?
If so, you can get the URL via jQuery, something like this:

Code:

var url = jQuery('form#my_form').attr('action');

or

Code:

var url = jQuery('a#my_link').attr('href');

[ajeetsingh]

Hello qualiteam,

As you suggest about to use admin url i have done same but my issue is remain same. the code is as below :

PHP Code:

<script>
jQuery( document ).ready(function() {    
  var wkUrldds = self.location;        
  var wkUrl=wkUrldds+'skins/admin/modules/Webkulsoftware/WebPushNotification/notify.php';    
        jQuery('body').on('click','.notifybtn',function(){
            var idss = jQuery(this).val();
            var urll = jQuery('form').attr('action');
            sendPushNotification(idss, urll);
        });

        function sendPushNotification(idss, urll){
            
            jQuery.ajax({
                url: urll+'?target=notif_tmplts&action=notify',
                data: {id: idss,urll: urll},
                type: 'POST',
                success: function (data) {
                    if(data != ''){
                        console.log(data);
                    }else{
                         console.log('Not a valid data');
                    }                   
                }
            });
        }

    });
    </script> 


And the controller function is as below:

PHP Code:

protected function doActioNotify(){
    $tpId = \XLite\Core\Request::getInstance()->nIds;
    echo $tpId; 
} 


In that case the ajax call is done but when i click on the ajax url in console then it redirect on the page where a notice is appear that i have no permission to access that page. I have also provide the snapshot of that page below;

[qualiteam]

Every backend URL is signed with a unique identifier that can be used only once.

As far as I understand you use the same URL twice: the first time you send a background request to that URL, and the second time you try to follow it from the JavaScript console. It won't work this way, unfortunately. As soon as you send an AJAX request, the URL becomes expired and won't work from the console.

[Daemos]

Hello, ajeetsingh

You should define the list of actions not secured by formid checking in your NotifTmplts controller to overcome this problem:

PHP Code:

/**
 * Define the actions with no secure token
 *
 * @return array
 */
public static function defineFreeFormIdActions()
{
    $list = parent::defineFreeFormIdActions();
    $list[] = 'notify';
    return $list;
} 


[ajeetsingh]

Hello Daemos ,

Thank you to help me, Your suggestion is working for me.