Module uses CSRF tokens for the autocomplete callback. That makes no sense in terms of security (no actual action is done there it is needed for delete/update/create operations, not read) and it makes impossible to write the tests for the autocomplete widget (as tests don't have proper session storage for that)

Issue fork private_message-3337186

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

artem_sylchuk created an issue. See original summary.

Denist3r made their first commit to this issue’s fork.

Denist3r opened merge request !53

denist3r’s picture

denist3r commented
Status: Active » Needs work

Removed _csrf_token: 'TRUE' requirement for privateMessageMembersAutocomplete callback.
Checked also for ajaxCallback, but it significant to keep _csrf_token here, because of CRUD operations related to that callback.

artem_sylchuk’s picture

artem_sylchuk
Primary language Ukrainian
Location Lutsk
commented
Status: Needs work » Fixed

Yeah, makes sense, however I think the manual setting the token option for the url in uneccessary as along as route has that in requirement. But better to keep it separated.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.