Action you have requested is not allowed error

Faruk Omar picture Faruk Omar · Apr 30, 2012 · Viewed 35.1k times · Source

I made a module named Gallery which works fine on my localhost with version 2.0.3, but when using version 2.1.0 on a remote site I can not submit a form and I get the error:

The action you have requested is not allowed.

Why is this?

Answer

JoeMoe1984 picture JoeMoe1984 · Sep 19, 2013

I agree with @Jhourlad Estrella on fixing the problems instead of disabling a security feature, however I feel that the real problem is with the hidden input field that holds the token.

Instead of using plain HTML to create a form element use the the form_open() and form_close() helper functions. The reason why is because when you use the helper function it automatically inserts the csrf token as a hidden field in the form.

You could do this manually as well by adding the token as a hidden input field in the form

<input type="hidden" name="csrf_hash_name" value="your-hash-value-here">

Doing it this way will allow you to stay protected from CSRF attacks and fix the problem you are having.

Hope this helps someone else out there as this was driving me nuts the first time figuring this out.