BBCode with ajax call always throws "Security error occurred. Please refresh the page and try again"

CrispinP

Well-known member
Folks,

I have a bbcode which does a php callback which loads a template. This works well but from in the template I call some js (which calls ok) but the js makes an ajax call back to the server. The controller, for now, simply returns an empty array / json string.

If I am logged in I get the security token error. If I am not logged in it works as expected.
This happens regardless of user., browser etc. Chrome incognito does the same.

I have exact same code / method in another add-on which works without a problem. It's as if the code, when called from within a post, does not like something.

Pasting the url in the browser returns the empty json as expected.

Code:
function reloadData(){
    var url = "http://qa.landcruiserclub.net/community/mymaps/GetGeo";
   
    XenForo.ajax(
        url,
        {}, // extra data to pass
        function(ajaxData, textStatus)
        {
            if (XenForo.hasResponseError(ajaxData))
            {
                alert("Could not load map data. " + ajaxData.error);
                return false;
            }           
           
            alert('here');
        }
    );   
}


Any ideas why this might happen?


Cheers,
C
 
You will get this kind of error if an AJAX request doesn't contain a valid CSRF token (for logged-in users). The XF-JS looks for a token in an input field with the name _xfToken and includes it in the request that is sent by XenForo.ajax(). So the first thing I would do is to check if there is such a field on the page on which your JS is called.
 
So on the page making the call I can see a hidden field called _xfToken. It would be unlikely though that the post-page would not have a valid token?
 
that might be possible. I'll double check. It fires when the bbc and the template render. If the token is below that then that would explain it. Will report back.
 
ok, so not sure of this is right or not.

I have many tokens on the page, each form has one with obviously the same values. My code is well below them but I cannot see a "generic" one.
If I change my function to pick up the first one I find and pass it in as a param then it works (thanks!)

I don't have any form so what's the best way for me to get around this? OK the way I am doing it now or is there a better way I can include it in the function call from a template?

Thanks for the help!
 
Even if your code is executed after an _xfToken element, it can still be too soon because the XF-JS updates the XenForo._csrfToken not before the complete page is loaded. So if you e.g. enclose your code in $(document).ready(function(){ ... }) it should work without manually passing the token.

But if your current solution works there's actually no need to change it unless you just wanna try it :)
 
I'll give it a try because my way will not work for non-logged in users so I would have to jump through hoops to make that work. It's a bit messy.

I'll change my way to run once all is done. :)
 
Top Bottom