Thread

...and/or disable secure forms for logged in users. My OP is below:

I have a form that users can only fill out after they log in. I’m getting complaints about the “You are not authorized to perform this action” error, which I gather is a result of Secure Forms being enabled. Is there a way to disable secure forms just on this one form without disabling it for my publicly accessible forms?

iseem I’m moving this to Technical Support as it appears that you have a support issue that we might be able to help you with.

What is this form, how is it being generated?  We need to find out why this one form is causing people problems but your others do not.

What is this form, how is it being generated?

This is a custom ‘edit profile’ form, generated with the Solspace User module.

We need to find out why this one form is causing people problems but your others do not.

Differences with this form:

- only form NOT using captcha. I don’t think the error can occur if captcha is enabled because the ‘incorrect captcha’ error gets thrown first.

- only form that doesn’t redirect to a ‘Thanks’ page after submission… just stays on the same page so they can keep editing.

- only form with a login conditional: if not logged in, login form; else, profile form. Perhaps the page isn’t refreshing properly after login?

- only form that requires login (session type = cookies only)

That’s all I can think of as far as differences. I’ve tried to recreate the error about 40 times, and only got it to happen twice (by leaving the page and then returning via the back button). Doesn’t seem to occur in any definite pattern that I can see.

Are you using template caching on this page?  Can you post the form tag in its full context?  The full template if you can, reduced to only what is minimally required for this behavior to rear it’s head.  I have a feeling that this is something you’ll need to get support from Solspace on, but before sending you to their forums, there are a few things we can try to eliminate from EE’s side of things.

Derek: Answers are below, but I don’t want you to spend time unnecessarily so can you tell me this… if I’m using captcha on public forms do I still need secure forms enabled? I’m using captcha anyway, so if captcha is sufficient then I’ll just disable secure forms, and perhaps this issue will resolve itself in later EE or Solspace updates. -thanks

Are you using template caching on this page?

No, caching is off.

reduced to only what is minimally required for this behavior to rear it’s head.

I’ll try. Problem is I can’t figure out what causes the issue to occur. Seems to happen when someone uses the back button to return to the page, but I’ve tried repeatedly and only got it to happen twice.

I have a feeling that this is something you’ll need to get support from Solspace on

According to Pie Man over at Solspace, in answer to “under what circumstances does it do that?”

Usually only if someone submits a form (fully), and the user hits the back button (“just to edit something”), edits any info, and resubmits.

That’s probably the most common reason.

Unfortunately this is a characteristic of ExpressionEngine itself, and there’s nothing we can do about it, other than you disabling “Secure Forms” which opens the doors to Spam…

Full thread at Solspace: http://www.solspace.com/forums/viewthread/1002/

That would do it with secure forms enabled, and no, I do not recommend disabling it unless you have no other recourse.  The purpose of CAPTCHA and secure forms is quite different, though they can work in tandem to prevent spam.  Pie Man almost has it, but I would guess that their code is checking, validating, and deleting your secure form hash before validating the form itself, which would be the reverse order.  The secure form hash should not be checked, or at least not deleted, unless the form submission is accepted.  That way it doesn’t expire with a “bad” form submission.