[rt-users] Cross site request forgery?

Paul Tomblin ptomblin at xcski.com
Sat Jun 2 16:04:21 EDT 2012

I'm trying to do a jquery autocomplete, but using my "other" database
rather than the RT database.  I created a web form in my extension's
own html/cf directory, which I can access.  I also put a autocomplete
file in html/cf/AutoComplete called "People", which looks a lot like
your Helpers/Autocomplete/Users:

% $r->content_type('application/json');
<% JSON( \@suggestions ) |n %>
% $m->abort;
$field => undef
$term => undef
use RTx::FooBar::Records::Peoples;

$RT::Logger->debug("called AutoComplete/People");

my $people = RTx::FooBar::Records::Peoples->new(Handle => CFHandle());
    FIELD       =>  $field,
    OPERATOR    =>  'LIKE',
    VALUE       =>  '%'.$term.'%',

my @suggestions
while (my $person = $people->Next)
  my $suggestion = { label => $person->$field, value => $person };
  push @suggestions, $suggestion;

I've already tested that my autohandler provides the correct CFHandle
to my database, and that RTx::FooBar::Records::Peoples returns the
correct rows when accessed like this.

But when I try to access this file as the source in my .autocomplete,
it gets a 404.  I've tried it with a relative path and an absolute
path, same results.
And if I try to access the url directly, I get this RT page that says
it's a possible cross-site request forgery.

What can I do to make this work?


More information about the rt-users mailing list