This question has been flagged
2 Replies
11425 Views
phpxmlrpcwebserviceCSRF
Avatar
Nicolás Mena

Hello, 


I'm trying to do a simple test with ripcord and php to login and get info of my installation of odoo 9.0  with the following script


[xmlrpc_test.php]

<?php
$url = "http://localhost.8069";
$db = "odoo9";
$username = "admin";
$password = "mypassword";
require_once('include/ripcord/ripcord.php');
$info = ripcord::client('http://127.0.0.1:8069')->start();
list($url, $db, $username, $password) =  array($info['host'], $info['database'], $info['user'], $info['password']);
?>


But when I open the php file on the browser i get this message on the console of Eclipse


Odoo URLs are CSRF-protected by default (when accessed with unsafeHTTP methods). Seehttps://www.odoo.com/documentation/9.0/reference/http.html#csrf formore details.
* if this endpoint is accessed through Odoo via py-QWeb form, embed a CSRF token in the form, Tokens are available via `request.csrf_token()` can be provided through a hidden input and must be POST-ed named `csrf_token` e.g. in your form add:
      <input type="hidden" name="csrf_token" t-att-value="request.csrf_token()"/>
* if the form is generated or posted in javascript, the token value is available as `csrf_token` on `web.core` and as the `csrf_token` value in the default js-qweb execution context
* if the form is accessed by an external third party (e.g. REST API endpoint, payment gateway callback) you will need to disable CSRF protection (and implement your own protection if necessary) by passing the `csrf=False` parameter to the `route` decorator.
2017-03-01 15:17:40,142 7776 INFO ? werkzeug: 127.0.0.1 - - [01/Mar/2017 15:17:40] "POST / HTTP/1.0" 400 -
2017-03-01 15:17:40,286 7776 WARNING ? openerp.http: No CSRF validation token provided for path '/'

Reading the documentation mentioned in the message (https://www.odoo.com/documentation/9.0/reference/http.html#csrf) seems i have to create a controller to handle the connections from a "third party" code, here's my question:


How and where I have to create that web controller to deactivate the csrf protection ? If you can help me with some examples or links with more info I'll be grateful.


Best regards




Avatar
Discard
Avatar
Nicolás Mena
Author Best Answer

Thanks Axel, I've tryed that correction but now i get a 404 error in the console, that works in the same way for odoo.com instances and a standalone installation? 

I've tryed /start and /xmlrpc routes.


2017-03-02 14:55:40,120 27569 INFO ? werkzeug: 127.0.0.1 - - [02/Mar/2017 14:55:40] "POST /start HTTP/1.0" 404 -2017-03-02 14:56:01,261 27569 INFO ? werkzeug: 127.0.0.1 - - [02/Mar/2017 14:56:01] "POST /xmlrpc HTTP/1.0" 404 -

Best Regards


EDIT: This problem was solved, i've reviewed my DB credentials and now it's working ok    

Avatar
Discard
Avatar
Axel Mendoza
Best Answer

The thing is that you are not correctly using the start demo described here:

http://www.odoo.com/documentation/9.0/api_integration.html

To fix it just use this url like described in the docs

$url = "http://localhost.8069/start";

and keep the rest of your code, CSRF is another topic and you wouldn't reach it when using remote api, if you see a result asking for the csrf_token it's because your request is getting attended by an Odoo Web Controller instead of the services layer and you need to review your url like this case

Avatar
Discard