Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
When anonymous users are trying to upload via DropzoneJS, an access denied exception is thrown.
I'm using this in combination with webform_dropzonejs to let anonymous users upload documents.
Path: /nl/dropzonejs/upload?token=cNJv8hT1jZdmtk6XCAWtGm3jmoaH3ILoCUQFACwxrqA. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: 'csrf_token' URL query argument is invalid. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 120 of /data/sites/web/xxxxx/production/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).
Should we also allow uploads without csrf-token to allow anonymous uploads?
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | dropzonejs-3197207-2.patch | 350 bytes | stijnstroobants |
Comments
Comment #2
stijnstroobantsI know this is probably not the best solution, but I removed the csrf access check in the routing.yml file.
csrf-tokens will not work for anonymous users.
Comment #3
nwom commentedSetting to Needs Review, since a patch is attached. I have not tested it, but ran into the issue while looking for something else.
Comment #5
kazah commentedAre there any progress?
Comment #6
weseze commentedSeems like a security issue to remove the CSRF token?
Comment #7
joseph.olstadI have a use case for this, we need to accept anonymous uploads and the way we're doing this somehow core doesn't like it. There's either the above patch or the core patch.
see #3316184: Sessionless users have no CSRF token - use 2.5.0 instead of 2.7.0
Comment #8
joseph.olstadThe above patch is working for anonymous uploads (a valid use case we are using).
I've triggered a few new test runs in comment# 2.
Comment #9
aherczeg commentedPatch in #2 solves the issue for us.