delete_x

[AhmedBR]

Hi,

I am trying to create a link to delete a record using this line:

Code: Select all

sales_order_view.php?SelectedID=%ID%&delete_x=%ID%

Tried these also

Code: Select all

sales_order_view.php?SelectedID=%ID%&delete_x=1

Code: Select all

sales_order_view.php?&filterer_id=%ID%&delete_x=1

based on:

https://bigprof.com/appgini/help/advanc ... parameters

addNew_x works fine

Code: Select all

sales_view.php?filterer_customer_id=1&addNew_x=1

But delete_x I am always getting this message:

Code: Select all

Oops! Something went wrong with this page. Please go back and retry.

(user has permission to delete, so it is not permission)

What am I doing wrong?

Thanks

[jsetzer]

Are you replacing %ID% by a real Primary Key before opening the URL?

Something like...

Code: Select all

TABLENAME_view.php?SelectedID=1&delete_x=1

should work.

The string "%ID%" is probably not a real primary key in your table.

[AhmedBR]

Thanks for the reply Jan.

Are you replacing %ID% by a real Primary Key before opening the URL?

Yes, and it is the Primary Key.
Should work, but it does not, I keep getting that error message!

if I use print, dvprint with the same %ID% etc. all working 100%, just delete not working.
I guess I have to keep digging to find where the problem is.

[jsetzer]

From generated sourcecode I can see that you need to be logged in. Deleting requires CSRF token AND JWT authentication.

Code: Select all

...
elseif($delete_x != '') {
     // delete only if either a csrf or jwt token is provided
    if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
        ...

Usually those should be set automatically when opening a DV or TV.

So, from within AppGini generated code deleting a record by primary key TABLENAME_view.php?SelectedID=1234&delete_x=1 should work. I am using such URLs from time to time, so, I'm pretty sure it should work.

Questions: Are you calling that URL from within AppGini generated view? and are you logged in?

[AhmedBR]

Questions: Are you calling that URL from within AppGini generated view? and are you logged in?

Yes, as super admin (so it is not logged in nor permission issue, if I open the record I can use the delete button without a problem!)
From within the tabelview using buttons.

delete.jpg (16.37 KiB) Viewed 2220 times

All other buttons are working 100%, must be something else, cannot figure it out yet.

Thanks

[AhmedBR]

I think it is going to be something totally unexpected, something like this one:
viewtopic.php?f=11&t=4811#p19712

[jsetzer]

I have searched the code for the error message you have given "csrf token expired or invalid". It occurs multiple times in code. Related to delete_x, it occurs in datalist.php:

Code: Select all

...
elseif($delete_x != '') {
			// delete only if either a csrf or jwt token is provided
			if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
...

So, I still think this is related to authentication and security.

You are logged in, so, auth should not be a problem.

But I'm wondering if there is a (valid) csrf_token in your Table View.

I have checked a standard generated table view and there we have that token:

Code: Select all

<input type="hidden" id="csrf_token" name="csrf_token" value="160f547e28aexxxxxxxxxxxxxxxxxxxx">

Can you please open sourcecode of your table view and check if there is the code for rendering the <input ... name="csrf_token" ... />.

It should be somewhere immetiately below the comment <!-- Add header template below here .. -->

[pbottcher]

Hi,

did you try

sales_order_view.php?SelectedID=1&delete_x=1

assuming you have a record with PK=1

[AhmedBR]

It should be somewhere immetiately below the comment <!-- Add header template below here .. -->

Yes, the token is there:

token.jpg (13.92 KiB) Viewed 2195 times

[AhmedBR]

Hi,

did you try

sales_order_view.php?SelectedID=1&delete_x=1

assuming you have a record with PK=1

Thanks for the reply pböttcher ,

Yes, same message.

[pbottcher]

Hi,

can you open the detail view and then add the url (with your server data) directly into the browser (replace the SelectedID=1 with the currently selected id)
Did it delete the record?

if Yes, do the same, from the tableview. Remember to set a valid ID for the SelectedID.

[AhmedBR]

Same message.
Tried also with detail_view same page as table_view, and as a separate page!
Same message!

If you click the delete button (of appgini), the record is deleted!
and if you use mass delete the record is also deleted.

[pbottcher]

Ah, ok
so you need to catch the csrf token from that page and add it to the called url as parameter

Code: Select all

sales_order_view.php?SelectedID=1&delete_x=1&csrf_token=XXXXXXXXXXXXXX

[AhmedBR]

Code: Select all

sales_order_view.php?SelectedID=1&delete_x=1&csrf_token=XXXXXXXXXXXXXX

Thanks Pböttcher, that did the trick!

[jsetzer]

Great, Ahmed! Glad it works now.
Thanks @pböttcher for the simple hack, brilliant idea to just pass the token in GET-parameter!

[AhmedBR]

Great, Ahmed! Glad it works now.
Thanks @pböttcher for the simple hack, brilliant idea to just pass the token in GET-parameter!

Thank you Both.