integrate subscribe form in Website -> CSRF-token
Hello, we wanted to integrate a subscribe-form in our website after Update from Mailman2 to Mailman3. Before it was quiet easy and supposedly still is, but we can't figure out what to do with the CSRF-token-problem.
Is there anywhere a documentation on this? We can't find one.
If not, I would like to post more on what we tried with the html-code and what is coming up afterwards.
(forbidden 403 - CSRF-verification failed. Request aborted.)
Thanks in advance! Jens.
Jens Günther writes:
(forbidden 403 - CSRF-verification failed. Request aborted.)
I think you need to tell us more about what you're trying to do (the obvious way to implement a "website subscribe form" is "run Postorius" which should just work), the configuration you now have, and exactly what actions you take in the browser to get this response.
It would also be helpful to tell us what operating system(s) you're using and their versions, and the versions of Mailman 2 and 3.
Steve
Thank you for your questions. I hope I can give you the needed answers on what we try to do :-)
- We do have a Wordpress-Site for our association set up.
- There we put a html-Snippet for the visitors to be able to subscribe for a mailing list (newsletter).
- This snippet has been with Mailman2 (2.1.23):
<form method="POST" action="https://$domain/mailman/subscribe/$short_listname"> <input name="email" value="" type="text"><br> <input name="email-button" value="Subscribe" type="submit"> </form>
We wanted to do the same with Mailman3 (Docker, 3.3.3, Postorius 1.3.4):
<form method="POST" action="https://$domain/postorius/lists/$short_lisname.$domain/anonymous_subscribe"> <input name="email" value="" type="text"><br> <input name="email-button" value="Anmelden" type="submit"> </form>
When I now enter a mailaddress, the quoted error occurs.
Checking another answer directly to me, there seems to be another hint :-)
I believe you are attempting to use the MM Core API via http GET/POST, rather than via Postorius? That you have tried and get the CSRF error reported?
Typically this is because you need to add a token to the request to indicate to the MM Core that your request isn't a forgery. Typically this token is requested from Core and then presented with subsequent requests. Have you tried this?
Therefor it is needed to send also a token!? Or use another URL, not postorius in order to subscribe!? How can I submit such a token?
Still wondering if there is something sorresponding to this documentation!? If not, I'm also willing to write some lateron, if somebody could lead me the way on how to achieve this :-)
https://wiki.list.org/DOC/4.33%20How%20do%20I%20put%20a%20subscribe%20form%2...
Thanks already a lot!
Am 21.06.21 um 17:23 schrieb Stephen J. Turnbull:
Jens Günther writes:
(forbidden 403 - CSRF-verification failed. Request aborted.)
I think you need to tell us more about what you're trying to do (the obvious way to implement a "website subscribe form" is "run Postorius" which should just work), the configuration you now have, and exactly what actions you take in the browser to get this response.
It would also be helpful to tell us what operating system(s) you're using and their versions, and the versions of Mailman 2 and 3.
Steve
On 6/21/21 11:58 AM, Jens Günther wrote:
We wanted to do the same with Mailman3 (Docker, 3.3.3, Postorius 1.3.4):
<form method="POST" action="https://$domain/postorius/lists/$short_lisname.$domain/anonymous_subscribe">
<input name="email" value="" type="text"><br> <input name="email-button" value="Anmelden" type="submit"> </form>
When I now enter a mailaddress, the quoted error occurs.
This is Django protecting against CSRF. You need to GET the for with the (hidden) CSRF token before you can POST it.
Checking another answer directly to me, there seems to be another hint :-)
I believe you are attempting to use the MM Core API via http GET/POST, rather than via Postorius? That you have tried and get the CSRF error reported?
Typically this is because you need to add a token to the request to indicate to the MM Core that your request isn't a forgery. Typically this token is requested from Core and then presented with subsequent requests. Have you tried this?
Therefor it is needed to send also a token!? Or use another URL, not postorius in order to subscribe!? How can I submit such a token?
To submit the Token, you need to first GET the form which will have the token. Then you can include it in the POST data. This is not a satisfactory solution for your case.
As hinted above, you need to use the REST API. See https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/rest/docs/m...
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
- Jens Günther (jens.guenther@posteo.de) [210621 20:59]:
We wanted to do the same with Mailman3 (Docker, 3.3.3, Postorius 1.3.4):
<form method="POST" action="https://$domain/postorius/lists/$short_lisname.$domain/anonymous_subscribe"> <input name="email" value="" type="text"><br> <input name="email-button" value="Anmelden" type="submit"> </form>
When I now enter a mailaddress, the quoted error occurs.
We do the same by sending an mail to the -subscribe-adress. This works well.
Andi
Teilnehmer (4)
-
Andreas Barth -
Jens Günther -
Mark Sapiro -
Stephen J. Turnbull