Plone.protect and AJAX POST requests

I have some custom JS code that needs to perform AJAX POST requests.
Plone raises "Forbidden: Form authenticator is invalid." with plone.protect installed.

What is the correct way to get hold of the authenticator value and how to inject it into the POST request?

describes how to inject the authenticator into a form but there is no API documentation about how to get hold of the authenticator without the input field stuff.

Assuming that I can inject the authenticator value into the JS namespace: would I just add its value to the 'data' array?

                $.ajax({
                    type: 'POST',
                    url: url,
                    data: {
                        subpath: SUBPATH,
                        old_id: title,
                        new_id: new_id
                    },
                    success: function(msg) {
                        alert('success' + msg);
                        refresh_table();
                    },
                    error: function(msg) {
                        alert('error' + msg);
                    }

                });

-aj

Have a look at https://github.com/plone/plone4.csrffixes/blob/master/plone4/csrffixes/protect.js which does this:

xhr.setRequestHeader("X-CSRF-TOKEN", token);

The protect.js script is injected dynamically by the transform from plone4.csrffixes, which also sets the token: https://github.com/plone/plone4.csrffixes/blob/master/plone4/csrffixes/transform.py#L186

Is this on Plone 4.3.9? If you have updated the plone.protect pin to 3.x and you see the above errors, then it should help to add plone4.csrffixes after all. I have now changed the hotfix page at https://plone.org/security/20151006 to mention this. We may want to see if we can integrate this better in core Plone so plone4.csrffixes is really no longer needed.

1 Like

Maybe we can add the protect.js script in plone.protect 3.x when used in Plone 4. I have opened an issue:

2 Likes

Thanks, clearly explained as always.

-aj