From 6e11256592740b066cb6a78f88f4fc85eb5f846f Mon Sep 17 00:00:00 2001 From: Aleksey Filippov Date: Fri, 27 Feb 2026 18:06:41 +0300 Subject: [PATCH] fix(ERP-244): fix CSRF validation error in ShiftReminderController - Disable CSRF validation on ShiftReminderController: endpoint is protected by session authentication (AccessControl, roles=['@']). CSRF cookies may be absent in browsers with strict privacy settings, causing false 400 errors for legitimate authenticated users. - Stop retrying on 400/401/403 responses in shift-reminder.js to prevent cascading error floods in logs when auth/validation fails. Co-Authored-By: Claude Sonnet 4.6 --- erp24/controllers/ShiftReminderController.php | 7 +++++++ erp24/web/js/shift-reminder.js | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/erp24/controllers/ShiftReminderController.php b/erp24/controllers/ShiftReminderController.php index 6378dd4e..6f66c2c9 100644 --- a/erp24/controllers/ShiftReminderController.php +++ b/erp24/controllers/ShiftReminderController.php @@ -21,6 +21,13 @@ use yii_app\services\ShiftReminderService; */ class ShiftReminderController extends Controller { + /** + * Disable CSRF validation — endpoint is protected by session authentication + * (AccessControl requires authenticated user). CSRF cookies may be absent + * in browsers with strict privacy settings, causing false 400 errors. + */ + public $enableCsrfValidation = false; + /** * {@inheritdoc} */ diff --git a/erp24/web/js/shift-reminder.js b/erp24/web/js/shift-reminder.js index 5267b9a9..83cdfca5 100644 --- a/erp24/web/js/shift-reminder.js +++ b/erp24/web/js/shift-reminder.js @@ -186,6 +186,12 @@ return; } + if (xhr.status === 400 || xhr.status === 401 || xhr.status === 403) { + // Auth/validation error - no point retrying, stop polling + console.error('ShiftReminder: server rejected request (' + xhr.status + '), polling stopped.'); + return; + } + // Network error - implement exponential backoff if (state.retryCount < CONFIG.retryIntervals.length - 1) { state.retryCount++; -- 2.39.5