Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I wanted to remove some token from add to cart forms even for anonymous users and I realised that eventhough anonymous (for now) is the only role configured for authcache, I wasn't able to configure that role to remove form token.
Looking in the code I realised this was somehow by designed, but I wonder if that should be like that or maybe some decision along the way carried away? I want to have the flexibility of doing such a thing, I am not sure why a module like this one should simply not allow it.
Comments
Comment #2
hanoiiAfter looking at code it seems that the most sensible way is to simply remove the #members_only feature all along. It's only really used within authcache_form and I rather allow for flexibility that something else.
Attached is a patch that removes all of this.
I project-wise searched and it's only used on those places.
Comment #7
znerol CreditAttribution: znerol commentedThere should not be any tokens on any forms built for anonymous users. See drupal_prepare_form().
Do you really see
form_token
added to a form for anonymous users on your site? Hint, do not confuse CSRF tokens with theform_build_id
which is required for Ajax forms. The latter is also added for anonymous users.Comment #8
hanoiiAh, will investigate further, I assumed as I remember doing something like this while implementing a custom cache solution with nginx. Thanks a lot for the quick reply, will follow up with a few other patches probably. Thanks!
Comment #9
znerol CreditAttribution: znerol commentedComment #10
znerol CreditAttribution: znerol commented