[Fixed in next release] Cant seem to ‘subscribe to thread’

 
Wilbur Jones
 
Avatar
 
 
Wilbur Jones
Total Posts:  2
Joined  10-07-2017
 
 
 
10 July 2017 23:36
 

Using this theme with EE 3.5.10 when try to subscribe to a thread I get a message “You are not authorized to perform this action”... Same goes for unsubscribing… I’m logged in as Super Admin, but I also happens for normal users.  If I Switch to one of the built in themes, it works. Any ideas?

 
 
Wilbur Jones
1
 
Avatar
 
 
Wilbur Jones
Total Posts:  2
Joined  10-07-2017
 
 
 
18 July 2017 05:58
 

Finally found what was causing this issue: https://docs.expressionengine.com/latest/installation/version_notes_3.4.0.html#version-notes-for-3-4-0

It seems with EE3.4.0 they made a change that requires you to to add some CSRF-preventing javascript.

 
 
eeBootstrap Support Team
2
 
Avatar
 
 
eeBootstrap Support Team
Total Posts:  105
Joined  22-09-2014
 
 
 
18 July 2017 07:26
 

This is the solution if you use the 3.4.x release of forum, the following info are from official EE Version notes:

With 3.4.0 are made some improvements to the security of the forums by adding additional CSRF checks. EE have updated the forum themes, but if you have customized your forum theme you may need to update your HTML.

In forum_global/html_footer.html if you use the theme chooser you will need to wrap it in a <form> tag:

<form method="post" action="{path:set_theme}">
    <input type="hidden" name="csrf_token" value="{csrf_token}" />
    <select name="theme" class="select"  (this.value != ''this.form.submit()">
    {include:theme_option_list}
    </select>
</form> 

In forum_threads/threads.html if you use the subscribe and unsubscribe feature you will need to add some code:

function post(pathparamsmethod{
    method method || "post"// Set method to post by default if not specified.

    // The rest of this code assumes you are not using a library.
    // It can be made less wordy if you use one.
    var form document.createElement("form");
    form.setAttribute("method"method);
    form.setAttribute("action"path);

    for(var key in params{
        if(params.hasOwnProperty(key)) {
            var hiddenField document.createElement("input");
            hiddenField.setAttribute("type""hidden");
            hiddenField.setAttribute("name"key);
            hiddenField.setAttribute("value"params[key]);

            form.appendChild(hiddenField);
         }
    }

    document.body.appendChild(form);
    form.submit();
}

function subscribe(el)
{
    var csrf_token "{csrf_token}",
             parts el.href.slice(0, -1).split('/'),
              topic_id parts.pop(),
                   url parts.join('/');

    post(url{
            topic_idtopic_id,
            csrf_tokencsrf_token
    });

    return false;

And update your HTML:

<a href="{path:subscribe}"  subscribe(this)"><b>{lang:subscribe}</b></a> 
 
 
 
   
 
 
Before Reporting...