You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If this request requires additional support (e.g., such as direct email/phone/meeting/development), I have the following interest in helping to sponsor the effort via GitHub Sponsors:
None, please continue to work for me for free :P
Absolutely, I get value out of this!
Maybe later
I'm already a sponsor... Woot!
Describe the bug
The Request AntiForgery Token is not available when making an API call to a controller from the SPA. Apparently, DNN only outputs the Token for Admins or if the search box is present in the skin. For a non-Admin user on a page without a search box, the Token isn't present and thus any AJAX calls to a controller that uses [ValidateAntiForgeryToken] will fail as 404 - unauthorized. Note: I only tested this with the Vue 3 Template, but I assume it would be an issue on other templates as well.
Software Versions
DNN: 09.13.02
Vue 3 Generator Template
To Reproduce
Steps to reproduce the behavior:
Generate a Vue 3 module using the generator.
Place it on a page with a skin that doesn't have a search box.
Access the page when not logged in.
Attempt to access an API call that has the [ValidateAntiForgeryToken] attribute.
DevTools shows no RequestVerificationToken is present.
Expected behavior
The Token should be present client side and sent with the API call.
Actual behavior
The Token is not available client side.
Solution
The solution is to force DNN To create the Token. I have only tested this for the Vue 3 template, but adding data-anti-forgery-token="[AntiForgeryToken:true]" to the app div solves the issue. So for the Vue 3 template, the view.html file in the root folder of the module can be modified to:
Sponsorship
If this request requires additional support (e.g., such as direct email/phone/meeting/development), I have the following interest in helping to sponsor the effort via GitHub Sponsors:
Describe the bug
The Request AntiForgery Token is not available when making an API call to a controller from the SPA. Apparently, DNN only outputs the Token for Admins or if the search box is present in the skin. For a non-Admin user on a page without a search box, the Token isn't present and thus any AJAX calls to a controller that uses
[ValidateAntiForgeryToken]will fail as 404 - unauthorized.Note: I only tested this with the Vue 3 Template, but I assume it would be an issue on other templates as well.
Software Versions
To Reproduce
Steps to reproduce the behavior:
[ValidateAntiForgeryToken]attribute.RequestVerificationTokenis present.Expected behavior
The Token should be present client side and sent with the API call.
Actual behavior
The Token is not available client side.
Solution
The solution is to force DNN To create the Token. I have only tested this for the Vue 3 template, but adding
data-anti-forgery-token="[AntiForgeryToken:true]"to the app div solves the issue. So for the Vue 3 template, theview.htmlfile in the root folder of the module can be modified to:Additional context
see discussion https://stackoverflow.com/questions/53206077/dnn-spa-module-with-webapi-works-for-administrators-but-not-for-registered-users
The text was updated successfully, but these errors were encountered: