Sessionless users have no CSRF token - use 2.5.0 instead of 2.7.0

Created on 19 October 2022, over 2 years ago

Updated 16 May 2023, almost 2 years ago

Problem/Motivation

CSRF token does not work for the user without session
Javascript crash with 2.7.0 with the anonymous user , works fine with 2.5.0 and the anonymous user.

Steps to reproduce

create an internal intranet site, allow anonymous to upload files, test with 2.7.0 to see broken, then test with 2.5.0 to see it working.

composer require "drupal/dropzonejs": "2.5.0 as 2.7.0" -W

fixes it but find exactly the problem code and schedule that for a fix.

Proposed resolution

use 2.5.0 instead of 2.7.0 OR
patch dropzonejs with this patch:
🐛 Anonymous users cannot upload caused by invalid csrf-token Needs work
OR apply this core patch:
#2730351-105: CSRF check always fails for users without a session →
https://www.drupal.org/files/issues/2022-06-18/2730351-105.patch →

Remaining tasks

🐛 Anonymous users cannot upload caused by invalid csrf-token Needs work

User interface changes

unable to upload a file, gets a 404 error.

API changes

TBD

Data model changes

🐛 Bug report

Status

Needs review

Version

2.7

Component

Code

Created by

🇨🇦Canada joseph.olstad

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇨🇦Canada joseph.olstad
Comment almost 2 years ago →
🇨🇦Canada joseph.olstad
rather than core patch, patch dropzonejs with patch in 🐛 Anonymous users cannot upload caused by invalid csrf-token Needs work

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024