Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I wanted to remove some token from add to cart forms even for anonymous users and I realised that eventhough anonymous (for now) is the only role configured for authcache, I wasn't able to configure that role to remove form token.
Looking in the code I realised this was somehow by designed, but I wonder if that should be like that or maybe some decision along the way carried away? I want to have the flexibility of doing such a thing, I am not sure why a module like this one should simply not allow it.
Comments
Comment #2
hanoiiAfter looking at code it seems that the most sensible way is to simply remove the #members_only feature all along. It's only really used within authcache_form and I rather allow for flexibility that something else.
Attached is a patch that removes all of this.
I project-wise searched and it's only used on those places.
Comment #7
znerol CreditAttribution: znerol commentedThere should not be any tokens on any forms built for anonymous users. See drupal_prepare_form().
Do you really see
form_tokenadded to a form for anonymous users on your site? Hint, do not confuse CSRF tokens with theform_build_idwhich is required for Ajax forms. The latter is also added for anonymous users.Comment #8
hanoiiAh, will investigate further, I assumed as I remember doing something like this while implementing a custom cache solution with nginx. Thanks a lot for the quick reply, will follow up with a few other patches probably. Thanks!
Comment #9
znerol CreditAttribution: znerol commentedComment #10
znerol CreditAttribution: znerol commented