• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Change default page for csrf error

#1
Where to change default page for "this action is not allowed" which is caused by csrf token expired?
Reply

#2
@anthos1984,

There is no default page for "this action is not allowed". It is an error message. It may use one of the default error pages in the /application/views/errors directory.
Reply

#3
If you examine the execution path as designed you find...

If the CSRF is not valid
  1. CI_Securtity::csrf_show_error() is called
  2. From there the common function show_error($message, $status_code) is called with $message='The action you have requested is not allowed.' and $status_code = 403
  3. show_error() sets $heading='An Error Was Encountered', then loads the CI_Exceptions class and calls CI_Exceptions:: show_error($heading, $message, 'error_general', $status_code)
  4. CI_Exceptions:: show_error() uses the file /application/views/errors/html/errors_general.php for the view which echos $heading and $message
whew!

So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines.

PHP Code:
class MY_Security extends CI_Security
{
 public function 
csrf_show_error()
 {
 
$heading "Be gone fool!";
 
$message "You shall not pass!";

 
$_error = & load_class('Exceptions''core');
 echo 
$_error->show_error($heading$message'csrf_error'403);
 exit;
 }


Basically what happens above is you bypass the common function and go straight to the CI_Exceptions class passing the name of your custom view - which I call "csrf_error".

You need to create the view file /application/views/errors/html/csrf_error.php that meets your objectives.
Reply

#4
(07-26-2018, 04:09 PM)dave friend Wrote: So, one way to get what you want would be to extend CI_Securtity and redefine the method csrf_show_error(). Something along these (untested) lines.

PHP Code:
class MY_Security extends CI_Security
{
 public function 
csrf_show_error()
 {
 
$heading "Be gone fool!";
 
$message "You shall not pass!";

 
$_error = & load_class('Exceptions''core');
 echo 
$_error->show_error($heading$message'csrf_error'403);
 exit;
 }


Basically what happens above is you bypass the common function and go straight to the CI_Exceptions class passing the name of your custom view - which I call "csrf_error".

You need to create the view file /application/views/errors/html/csrf_error.php that meets your objectives.

Wow, thanks. I will try that
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme ¬© 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.