CSRF mismatch in OJS 3_3_0-8-18

carola · November 26, 2021, 9:03am

Hi,

when ordering issues or sections in OJS 3_3_0-8-18 (in OJS 3_3_0-8-8 the error does not occur) we get:

PHP Fatal error: Uncaught Exception: CSRF mismatch! in
…/lib/pkp/classes/controllers/grid/GridHandler.inc.php:752

pkp/pkp-lib/blob/stable-3_3_0/classes/controllers/grid/GridHandler.inc.php#L752

    
      
          	/**
          	 * Hook opportunity for grid features to request a save items sequence
          	 * operation. If no grid feature that implements the saveSequence
          	 * hook is attached to this grid, this operation will only return
          	 * the data changed event json message.
          	 * @param $args array
          	 * @param $request PKPRequest
          	 * @return JSONMessage JSON object
          	 */
          	function saveSequence($args, $request) {
          		if (!$request->checkCSRF()) throw new Exception('CSRF mismatch!');
          
          
		$this->callFeaturesHook('saveSequence', array('request' => &$request, 'grid' => &$this));
          
          
		return DAO::getDataChangedEvent();
          	}
          
          
	/**
          	 * Get the js handler for this component.
          	 * @return string
          	 */

$this->getUserVar(‘csrfToken’) is empty, this is why the match fails.

Regards,
Carola

asmecher · November 26, 2021, 12:29pm

Hi @carola,

Some additional CSRF checks were added as part of this issue. They involve changes to the compiled javascript; have you flushed your browser’s cache? Does the behaviour change if you disable minification in config.inc.php?

Regards,
Alec Smecher
Public Knowledge Project Team

carola · November 30, 2021, 8:02am

Hi @asmecher,

yes, it’s enable_minified!

Thank you so far,
Carola

asmecher · November 30, 2021, 12:22pm

Hi @carola,

Do you mean that turning off enable_minified fixes the problem?

Regards,
Alec Smecher
Public Knowledge Project Team

carola · November 30, 2021, 12:57pm

Hi @asmecher,

yes, turning off fixes the problem. I switched several times between on and off (to be sure it’s not the cache).

Regards,
Carola

asmecher · November 30, 2021, 2:55pm

Hi @carola,

In your OJS installation directory, do you have commit 9a38b0ae3ed932663bb5a92c8c747e4a31757651 included? (See e.g. git log js/pkp.min.js.)

The difference between minification enabled and disabled is that when minification is enabled, OJS relies on js/pkp.min.js to contain all its Javascript. When minification is disabled, OJS goes to the dozens of individual js files instead. If changing the flag to On breaks things, then it sounds like your compiled javascript is out of date (or an old version is cached).

Regards,
Alec Smecher
Public Knowledge Project Team

carola · December 2, 2021, 1:07pm

Thank you @asmecher, I upgraded to OJS 3_3_0-8-34, that solve the issue.

Regards,
Carola

asmecher · December 6, 2021, 8:00am

This topic was automatically closed after 9 days. New replies are no longer allowed.