search

daylightstudio / FUEL-CMS-Blog-Module

A blog module for FUEL CMS
19 stars 18 forks source link

'The action you have requested is not allowed' when trying to search the blog and CSRF protection is enabled #5

Closed Dinchar closed 11 years ago

Dinchar commented 11 years ago

Hi,

as the title says, when the CSRF protection is enabled, the blog search generates

An Error Was Encountered The action you have requested is not allowed.

Suggested fix: Add the following code just before the closing form tag in the file fuel/modules/blog/views/themes/{THE_THEME_NAME}/_blocks/search.php

<?php
if ($this->config->item('csrf_protection'))
{
    $this->security->csrf_set_cookie();
    ?>
    <input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>"/>
    <?php
}
?>

I am not sure whether the same could not be achieved if the whole search form is generated by fuel's form builder, as it takes care of the CSRF. :-?

daylightstudio commented 11 years ago

Thanks for the bug report and the fix. I've posted a change for that.