From: Aleksey Filippov Date: Fri, 27 Feb 2026 15:06:41 +0000 (+0300) Subject: fix(ERP-244): fix CSRF validation error in ShiftReminderController X-Git-Url: https://gitweb.erp-flowers.ru/?a=commitdiff_plain;h=6e11256592740b066cb6a78f88f4fc85eb5f846f;p=erp24_rep%2Fyii-erp24%2F.git fix(ERP-244): fix CSRF validation error in ShiftReminderController - Disable CSRF validation on ShiftReminderController: endpoint is protected by session authentication (AccessControl, roles=['@']). CSRF cookies may be absent in browsers with strict privacy settings, causing false 400 errors for legitimate authenticated users. - Stop retrying on 400/401/403 responses in shift-reminder.js to prevent cascading error floods in logs when auth/validation fails. Co-Authored-By: Claude Sonnet 4.6 --- diff --git a/erp24/controllers/ShiftReminderController.php b/erp24/controllers/ShiftReminderController.php index 6378dd4e..6f66c2c9 100644 --- a/erp24/controllers/ShiftReminderController.php +++ b/erp24/controllers/ShiftReminderController.php @@ -21,6 +21,13 @@ use yii_app\services\ShiftReminderService; */ class ShiftReminderController extends Controller { + /** + * Disable CSRF validation — endpoint is protected by session authentication + * (AccessControl requires authenticated user). CSRF cookies may be absent + * in browsers with strict privacy settings, causing false 400 errors. + */ + public $enableCsrfValidation = false; + /** * {@inheritdoc} */ diff --git a/erp24/web/js/shift-reminder.js b/erp24/web/js/shift-reminder.js index 5267b9a9..83cdfca5 100644 --- a/erp24/web/js/shift-reminder.js +++ b/erp24/web/js/shift-reminder.js @@ -186,6 +186,12 @@ return; } + if (xhr.status === 400 || xhr.status === 401 || xhr.status === 403) { + // Auth/validation error - no point retrying, stop polling + console.error('ShiftReminder: server rejected request (' + xhr.status + '), polling stopped.'); + return; + } + // Network error - implement exponential backoff if (state.retryCount < CONFIG.retryIntervals.length - 1) { state.retryCount++;