request_token not getting verified correctly (Contao 4.6.6 & 4.6.8)

[Paddy0174]

Fieldpalette is actually not usable under 4.6.6 (downgrade because of #153 ) because of the request token not being verified correctly.

You get this modal window while creating a new entry or changing an existing. But you can't delete an entry (I assume because of no modal window with the rt-message to confirm).

[fatcrobat]

Can you please try version 0.4.5 if this error still exists?

[Paddy0174]

Thanks for the new version, it does clear the element.button error, but unfortunately not this one. So no, it doesn't work with 0.4.5.

[Paddy0174]

Updated Contao from 4.6.6 to 4.6.8, unfortunately no change, still not working. Can you point in any direction, where one (me) can take a look at?

[Paddy0174]

Anything? :)

[fatcrobat]

They changed the javascript order between 4.4 and 4.6. As fieldpalette uses jQuery in Backend mode, jQuery is currently invoked too late. We currently investigate the problem und will try to fix soon, but as we use only LTS-Versions in our own projects, providing support to non-LTS Versions is not on highest priority.

[fatcrobat]

Related to heimrichhannot/contao-utils-bundle#5

[Paddy0174]

I know and understand, supporting non-LTS is unfortunately not the highest priority. I wouldn't use the 4.6 if it weren't for the DSGVO changes.... Just updated two weeks ago, just because of this....

But, regarding the problem:
Are you sure it's the JS? For what I found, the RT is in the wrong "scope" of some kind. The RT taken by the FieldPaletteBackend.refreshFieldPalette is already wrong.

If I set the RT as a new value (ie "req_tok") in ButtonElement I do get the right RT, but I cannot get it as th correct parameter. Like so:

            'id' => $this->id,
            $this->fieldpaletteKey => $this->fieldpalette,
            'popup' => $this->popup,
            'req_tok' => REQUEST_TOKEN

and allow it in the switch afterwards, I do get the "req_tok" correctly appended to the link, with the correct RT. The RT that is alread set in the link (rt=...) is still the wrong one.

This is the link for the site call
contao?do=sema_contact&act=edit&id=12&rt=yccXyHo758RbQhRec8kHOAo5FQ0j0PSIR65IbVjbjjY&ref=e8JJVt86

This is the link, that is set for the fieldpalette entries
contao?do=sema_contact&table=tl_member_sema_email&act=edit&id=5&popup=1&rt=ulGp1RTkw86R1uLjKOrcD24P_ykM-VMNrRUNrMIcA6U&mode=2&ref=KPArGM_U

See the difference in the RT already?

If I now change as mentioned above, this is what I get
https://inputev.uber.space/contao?do=sema_contact&table=tl_member_sema_email&act=edit&id=5&popup=1&rt=ulGp1RTkw86R1uLjKOrcD24P_ykM-VMNrRUNrMIcA6U&mode=2&ref=KPArGM_U&req_tok=yccXyHo758RbQhRec8kHOAo5FQ0j0PSIR65IbVjbjjY

There are two different values already for the RT, so the JS is using the already wrong second one.

What I can't figure out, if I set the RT in ButtonElement as "rt" like so

'rt' => REQUEST_TOKEN,
'req_token' => REQUEST_TOKEN

I still get the correct one with "req_tok", but not as "rt". So somewhere afterwards it must get overridden, but where....?

Hope this makes sense to you, if not, please ask, I will examine further.

Again, I can understand the not-priority support, but if you could point me in further directions, I will search for the error. And as soon, as I find, I will send a PR.

[fatcrobat]

This was related to heimrichhannot/contao-utils-bundle#5. Contao did change the token_manager within a bugfix release (contao/core-bundle@47a2e6a). This is why we do not use non-LTS contao for our customer projects. Fixed it right now in 0.4.6.

Also the way javascript is invoked and ordered has changed… Currently could fix it using the async flag.

[Paddy0174]

Thanks a lot, the updated utils boundle did solve the error. Thank you a lot! If you come to Munich the next time, let me know, the first beer is on me! :)

So I was in the wrong place at all. :|

[fritzmg]

They changed the javascript order between 4.4 and 4.6.

Could you be more specific? I cannot see any difference between 4.4 and 4.6 regarding JavaScript loading order. May be open an issue about that in contao/contao.

[fatcrobat]

@fritzmg Have an eye on this commit: contao/contao@8ae4a8f

If you used static before it did not combine in 4.4. This is why i told javascript was changed.

[fritzmg]

Hm, that commit only adds support for async, as far as I can see? Can you give an example where the JavaScript loading order is changed from 4.4 to 4.6?

// oh this is about the back end ...

[fatcrobat]

@fritzmg Sorry for the late reply. Yes this affects the back end only. No idea why async flag is added to jQuery. Before it was just static. In order to maintain Bundle loading order, it should be at most deferred flagged.