I am currently trying to automatically generate actionUrls in a datatable using aui.
I am already generating the links using a formater, however, as soon as I try to exectute the action using one of the links it is rejected and the action is not executed. I am assuming this is part of the cross site scripting protection measures.
[http-bio-8080-exec-2][SecurityPortletContainerWrapper:630] Reject process action for /c/portal/layout on functiontest_WAR_functionTestportlet
I am generating the links like this:
<aui:script>
AUI().use(
'aui-datatable',
'datatable-sort',
'datatable-paginator',
'aui-datatable-highlight',
'liferay-portlet-url',
function(A) {
var columns =[{
label : 'ID',
key : 'testVar',
allowHTML : true,
sortable : true,
formatter : function(o) {
var url = Liferay.PortletURL.createActionURL();
url.setWindowState("<%= LiferayWindowState.NORMAL.toString()%>");
url.setPortletMode("<%= LiferayPortletMode.VIEW %>");
url.setPortletId("<%= themeDisplay.getPortletDisplay().getId() %>");
url.setPlid("<%= plid %>");
url.setParameter("javax.portlet.action","actionTest");
url.setParameter("testVar",o.data.testVar);
return '<a href="'+ url +'">' + o.data.TestVar + '</a>';
}
}];
var table = new A.DataTable(
{
...
}
).render('#DataTable');
.....
</aui:script>
Does anyone know how I can allow the execution of the freshly generated URLs without disabling security?
Kind regards John Smith
That happens when auth token does not exist in your action url. You could add auth parameter or you have 3 options to skip that case:
Editing portal-ext.properties:
auth.token.ignore.actions=....
Adding init-param to portlet.xml:
<init-param>
<name>check-auth-token</name>
<value>false</value>
</init-param>
Editing portal-ext.properties (NOT RECOMMENDED)
auth.token.check.enabled=true