1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Having issue with Security Token and Paypal...

Discussion in 'XenForo Development Discussions' started by Jaxel, Oct 4, 2011.

  1. Jaxel

    Jaxel Well-Known Member

    I'm working on a donation module block for XenPorta... everything works fantastic so far... except one issue... After a user has send their donation in it gives them a summary "Your Donation is Complete" page, with an orange button for "Return to ----". When I click this button, it properly goes back to the return URL... but it gives a security error in the process...

    I've looked at XenForo's payment processor and I see nothing special that prevents this. This is what I have in my form...

    <form action="{$option.payPalUrl}" method="post" class="upgradeForm">
        <input type="hidden" name="cmd" value="_donations" />
        <input type="hidden" name="return" value="{$requestPaths.fullBasePath}{xen:link portal/donation}" />
        <input type="hidden" name="cancel_return" value="{$requestPaths.fullBasePath}" />
        <input type="hidden" name="notify_url" value="{$xenOptions.boardUrl}/donation_callback.php" />
        <input type="hidden" name="custom" value="{$visitor.user_id},{$donation.id},token,{$visitor.csrf_token_page}" />
    So how do I prevent this security error when returning from paypal?
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    It's the return location (portal/donation) that is giving that error, right? Not the callback URL? Check your controller for that page. Are you requiring the token anywhere in your code? Are there any calls to _checkCsrfFromToken or _checkCsrf? Any references to _xfToken?
  3. Jaxel

    Jaxel Well-Known Member

    It doesn't have anything like that. The issue is that the return button from paypal is a POST button; and POST to XenForo requires a CSRF token. However, with the user upgrade system in XenForo, they bypass that requirement... how?
  4. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    I think I found it:


    	 * Disable CSRF checking for the upgrade purchase callback method.
    	protected function _checkCsrf($action)
    		if (strtolower($action) == 'upgradepurchase')
    			// may be coming from external payment gateway
    So you need to include your own _checkCsrf function in your controller.
    Darkimmortal likes this.
  5. Jaxel

    Jaxel Well-Known Member

    Thanks, thats exactly what I was looking for.

Share This Page