I made a module named Gallery which works fine on my localhost with version 2.0.3, but when using version 2.1.0 on a remote site I can not submit a form and I get the error:
The action you have requested is not allowed.
Why is this?
I agree with #Jhourlad Estrella on fixing the problems instead of disabling a security feature, however I feel that the real problem is with the hidden input field that holds the token.
Instead of using plain HTML to create a form element use the the form_open() and form_close() helper functions. The reason why is because when you use the helper function it automatically inserts the csrf token as a hidden field in the form.
You could do this manually as well by adding the token as a hidden input field in the form
<input type="hidden" name="csrf_hash_name" value="your-hash-value-here">
Doing it this way will allow you to stay protected from CSRF attacks and fix the problem you are having.
Hope this helps someone else out there as this was driving me nuts the first time figuring this out.
It is a Codeigniter error related to the CSRF protection. You can cancel it in cms/config/config.php
On matters of programming, you don't go around problems, you fix it. What I mean to say is, this feature won't be here if it is unusable: 'coz it is and it works for me. You just have a problem on the implementation.
My answer: Remove all dashes, periods and any other non-alphanumeric characters from the values of following entries on application/config/config.php as seen below:
$config['sess_cookie_name'] = 'mycookiename'; //instead of "my_cookie_name"
$config['csrf_token_name'] = 'mycsrftoken'; //instead of "my.csrf.token"
$config['csrf_cookie_name'] = 'mycsrfcookie'; //instead of "my/csrf/cookie"
BTW, dashes sometimes work but I suggest using single words whenever possible when naming config values. Not unless you have the time and skills to study Codeigniter's core files related to what ever you are working on just to make sure it's safe to do so.
Anyways, I hope this help somebody out there even though my answer is more than a year late.
I have a form that was built outside of CI (in Joomla), but that I wanted to process with CI. My fix was to selectively disable csrf for specific referrers. I added this to config, directly after the default config options for csrf:
/* Set csrf off for specific referrers */
$csrf_off = array(
"http://yourdomain.com/your-form-url",
"http://yourdomain.com/some-other-url"
);
if (isset($_SERVER["HTTP_REFERER"])) {
if (in_array($_SERVER["HTTP_REFERER"],$csrf_off)) {
$config['csrf_protection'] = false;
}
}
This disables csrf protection for specific URLs in the $csrf_off array, but leaves it intact for all other requests.
I have found using the form helper functions
Example
<?php echo form_open('controller/function');?>
<?php echo form_input('username', 'Username');?>
<?php echo form_close();?>
Using the helper functions like above should stop the CSRF error message showing.
If I don't use echo form_input() if I place just normal input will trigger the CSRF error when reload.
<?php echo form_open('controller/function');?>
<input type="text" name="username" />
<?php echo form_close();?>
So I recommend using all form helper functions now.
It is an old question but this same problem did cost me so much time that I wanted to share what the problem was in my case. It may help someone.
I am using Codeigniter 3.0.6 and CommunityAuth 3 together with it and I was getting this error after a login.
It was confusing since the problem would sometimes happen and would not other times.
My 'base_url' in CI's config.php was set to something like 'www.mysite.com'
When you browse the site with 'mysite.com' (notice 'www' is not in the address) and you do a form submission that uses CI's 'base_url' setting, like CommunityAuth's login does, then CSRF check fails and you get 'The action you have requested is not allowed.' error.
This error is thrown by the function csrf_show_error() in system/core/Security.php when the CSRF token in $_COOKIE doesn't match your $_POST['csrf_token_name'].
Inside config.php, I had to ensure that $config['cookie_domain'] matched $config['base_url'], without the protocol (i.e. http(s)://).
Otherwise, the cookie wasn't being passed which meant the match couldn't be made.
Use the codeigniter form opener like this:
<php echo form_open(url,method,attributes);?>
see codeigniter form documentation for more.
This is probably a rare case, but I didn't see my issue since my server has many different domain names that are very similar. The problem was that I was landing on a domain that was completely wrong, but since "The action you have requested is not allowed." error takes precedence over " 404 Not Found Error" I couldn't see it. My problem was that I didn't change my base_url to the correct domain. So if none of the above solutions work for you, you might check your settings for $config['base_url'] in application/config.
For me the problem was that I was loading the view in the index, than I changed as follow and it worked:
public function index()
{
// Load Login Page
redirect('login/login_page','refresh');
}
public function login_page()
{
$data['title'] = 'Login Page';
$this->load->view('templates/header', $data);
$this->load->view('users/login_view', $data);
$this->load->view('templates/footer');
}
Im Using Codeigniter 3 same problem with
The action you have requested is not allowed.
Based on Isaac Pak's point, i changed my base_url to what i usally typed at the address bar. like this...
instead of putting
http://www.domain.org
i write it this way..
http://domain.org
since my base_url() is just..
$config['base_url'] = 'http://domain.org/';
the fix works for my site...
I am having trouble removing the controller name from my url path on my localhost.
i have this url - localhost:8888/localhost/site_name/
i have been able to remove index.php from the url using my htaccess similar to http://codeigniter.com/wiki/mod_rewrite so that:
localhost:8888/localhost/site_name/index.php/controller_name
is now:
localhost:8888/localhost/site_name/controller_name/
but i can't remove the controller name from the path so that:
localhost:8888/localhost/site_name/controller_name/function_name/
becomes:
localhost:8888/localhost/site_name/function_name/
I am using only one controller, and i have added:
$route['^(function_name1|function_name2|function_name3)(/:any)?$'] = 'controller_name/$0';
$route['^(?!ezstore|ezsell|login).*'] = "home/$0"; /*similar variation i tried*/
and other variations to my routes file but it does not have any effect. i also tried using the _remap function but that does not help in this case.
Any help will be appreciated! Thanks
You can use a wildcard route,
$route['(:any)'] = "controller_name/$1";
Then when if you go to http://localhost/function_one/param1
it will call the controller controller_name the function function_once and pass param1 as the first parameter.
nb: I must point out, using only one controller for an entire site does raise warning bells for me, you may want to get your code design checked out, but that's just me.
I am using CodeIgniter. In my script, I am changing $config['index_page'] in config.php file as per the user's reponse, i.e, dynamic index_page is used. In order to get it work, I have changed the $config['uri_protocol'] value to "AUTO".
Everything is working fine except when the case comes like : domain.com/index_page/auth/register?testvar=1
It's not accepting the get variables and "PAGE NOT FOUND" error is there. I have tried several things already discussed here, but they involve changing the uri_protocol to "PATH_INFO" that I can't change as the site stops working. It requires "REQUEST_URI" to work properly which is exactly the case with "AUTO" setting.
So is there, any way to get it working???
Any help would be appreciated.
Have a look at this answer: Handling question mark in url in codeigniter it will require you to override the core URI class whenever you are accepting QUERY_STRING and inject your logic there.
Have you read this: http://codeigniter.com/user_guide/general/urls.html ?
You pass vars like this:
domain.com/index_page/auth/register/1
The first segment represents the
controller class that should be
invoked.
The second segment represents
the class function, or method, that
should be called.
The third, and any
additional segments, represent the ID
and any variables that will be passed
to the controller.
Also you can do it your way, read the reference. But than why to use a framework at all?
I've done the same thing in my project and I got the url like
mydomain.com/search/?name=Arun+David&age=23
To achieve this,
In config file set
$config['uri_protocol']='PATH_INFO'; or $config['uri_protocol']='ORIG_PATH_INFO';
if PATH_INFO is not working try using ORIG_PATH_INFO. For me in localhost PATH_INFO is woking but not ORIG_PATH_INFO but while uploading it in server ORIG_PATH_INFO in working but not PATH_INFO.
and in your search controller's constructer add
parse_str($_SERVER['QUERY_STRING'],$_GET);
then you can use $_GET['name'] and $_GET['age'] in your code!.!. :-)
This is my first time getting my hands dirty with CI so I'm getting a little confused.
I'm wanting to accomplish a couple things with my question. First of all, I'd like to always use the default controller without having it to appear in the url. For example, I created a new class named after my site (Example.php) and that works fine. However, if I want to call the search function in my controller I then have to go to example.com/index.php/example/search/.
The second thing I want to accomplish is when I run a search I'll get a nice looking url like so: example.com/search/This+is+a+search (I haven't gotten to removing the index.php portion but I know to use a htaccess). I'm not worried about the actual mechanics of the search, just that I'd like to format the url in this way.
I originally experimented with using a Search class but that found that it doesn't allow me put the search in the url because the second parameter should be a function and not the extra stuff.
Thanks for any help.
In application/config/routes.php file add $route to redirect everything to your controller.
Something like this:
$route['([^\/]+)'] = 'content/index/$1';
$route['([^\/]+)\/([^\/]+)'] = 'content/index/$1/$2';
This will redirect urls like example.com/A and example.com/A/B to a controller named content. Parameters A and B will be passed to method index.
I'm having a little trouble with a CodeIgniter route when there is a query (stuff after the ?) in the URI. I know it is good practice to replace queries with routes in CI, but I'm importing in a premade messageboard that already does everything with queries. This is my route:
$route['messageboard/:any'] = "messageboard/index";
Any in this case refers to a script name. So if it's messageboard/admin.php, I have it load a view that loads my premade messageboard's script "admin.php". It's working just fine if I do messageboard/admin.php. It does fine if I do messageboard/admin.php?. If I put a parameter into the query, however, the route won't correctly send the user to the messageboard controller, and instead sends them to a 404. Does anyone have any ideas on how to make this work? I would be eternally grateful. Thanks!
Okay guys, I solved it. I needed to change three things. The first was mtvee's suggestion, which lets it read query strings. The second one you're going to want to change the $config['permitted_uri_chars'] in the config file to include an equals sign, since it starts off disabled and all query strings will be of the for ?a=34 or something like that. The third is you need to go to $config['uri_protocol'] and change it from AUTO to PATH_INFO. Once I did those, it worked.
I'm sure the syntax is:
$route['messageboard/(:any)'] = "messageboard/index"; //<-- notice brackets
and not
$route['messageboard/:any'] = "messageboard/index";
I believe CI doesn't do GET out of the box. Check out Enabling Query Strings here http://ellislab.com/codeigniter/user-guide/general/urls.html