BBCode with ajax call always throws "Security error occurred. Please refresh the page and try again"

[CrispinP]

Folks,

I have a bbcode which does a php callback which loads a template. This works well but from in the template I call some js (which calls ok) but the js makes an ajax call back to the server. The controller, for now, simply returns an empty array / json string.

If I am logged in I get the security token error. If I am not logged in it works as expected.
This happens regardless of user., browser etc. Chrome incognito does the same.

I have exact same code / method in another add-on which works without a problem. It's as if the code, when called from within a post, does not like something.

Pasting the url in the browser returns the empty json as expected.

function reloadData(){
    var url = "http://qa.landcruiserclub.net/community/mymaps/GetGeo";
   
    XenForo.ajax(
        url,
        {}, // extra data to pass
        function(ajaxData, textStatus)
        {
            if (XenForo.hasResponseError(ajaxData))
            {
                alert("Could not load map data. " + ajaxData.error);
                return false;
            }           
           
            alert('here');
        }
    );   
}

Any ideas why this might happen?


Cheers,
C

 

[Thomas.B]

You will get this kind of error if an AJAX request doesn't contain a valid CSRF token (for logged-in users). The XF-JS looks for a token in an input field with the name _xfToken and includes it in the request that is sent by XenForo.ajax(). So the first thing I would do is to check if there is such a field on the page on which your JS is called.

 

[CrispinP]

So on the page making the call I can see a hidden field called _xfToken. It would be unlikely though that the post-page would not have a valid token?

 

[Thomas.B]

Maybe it's an execution order problem. Is reloadData() called after the full HTML has been loaded?

 

[CrispinP]

that might be possible. I'll double check. It fires when the bbc and the template render. If the token is below that then that would explain it. Will report back.

 

[CrispinP]

ok, so not sure of this is right or not.

I have many tokens on the page, each form has one with obviously the same values. My code is well below them but I cannot see a "generic" one.
If I change my function to pick up the first one I find and pass it in as a param then it works (thanks!)

I don't have any form so what's the best way for me to get around this? OK the way I am doing it now or is there a better way I can include it in the function call from a template?

Thanks for the help!

 

[Thomas.B]

Even if your code is executed after an _xfToken element, it can still be too soon because the XF-JS updates the XenForo._csrfToken not before the complete page is loaded. So if you e.g. enclose your code in $(document).ready(function(){ ... }) it should work without manually passing the token.

But if your current solution works there's actually no need to change it unless you just wanna try it

 

[CrispinP]

I'll give it a try because my way will not work for non-logged in users so I would have to jump through hoops to make that work. It's a bit messy.

I'll change my way to run once all is done.