Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hello,
I've found that with page caching set to 'Normal' anonymous users can't vote. With previous version (1.13) and same cache everything was fine. I've made analysis of new module's code and think that problem is in form token which caches for anonymous users. When I've commented out this code in fivestar_vote()
function:
if (!isset($_GET['token']) || !fivestar_check_token($_GET['token'], $path)) {
$output .= '<xml><error>'. t('Invalid token') .'</error></xml>';
exit($output);
Votes start to work for anonymous users. Can you offer a better solution for this problem? Because now fivestar didn't work for sites with normal cache setting and anonymous voters.
Comment | File | Size | Author |
---|---|---|---|
#3 | fivestar_anonymous_token_check.patch | 1.11 KB | quicksketch |
Comments
Comment #1
Jeff Burnz CreditAttribution: Jeff Burnz commentedAnon users cannot vote on my site either, I only picked up on this from the lack of votes, so I tried to vote as anon and the vote never gets saved and no error message is returned. http://3rdworldthemes.org
I commented out the call to fivestar_check_token function in function fivestar_vote and now it works:
line 695: if (!isset($_GET['token']) /*|| !fivestar_check_token($_GET['token'], $path)*/)
I'm looking at $path in function fivestar_vote and wondering if that is the issue?
This is critical for me as I don't have logged in users and I need to use the cache.
Comment #2
beholder CreditAttribution: beholder commentedI think problem with cached security token in vote form — for every anonymous user this token is the same, but fivestar_check_token() expect different tokens for every user. When page is cached, form token is static and equal for all users, so fivestar throws error "Invalid token". We need to rebuild this token for anonymous users (I don't think it's possible with page caching, but i'm not sure) or we need to remove this check from fivestar module code.
Comment #3
quicksketchI've applied the attached patch which lessens the restrictions on anonymous users. Since the page cache gives all anonymous users the same HTML output, we have to allow the same token to be accepted for all anonymous users.
Comment #4
quicksketch