Hi

I am making a button to delete a user. I am guided by the documentation

https://book.cakephp.org/3/en/views/helpers/form.html

part “Creating Standalone Buttons and POST Links” / “Creating POST Buttons”

this manual says that if I write this

it will turn out

but I do not generate csrf token like this

please tell me how to solve this problem ?

What specific version of Cake are you using?

My version is 3.x
and I gave a link to the documentation of this version

“3.x” is not a specific version. And lots of people look at the wrong version of the documentation, and suffer predictable problems as a result.

////////////////////////////////////////////////////////////////////////////////////////////////////
// ±-------------------------------------------------------------------------------------------+ //
// CakePHP Version
//
// Holds a static string representing the current version of CakePHP
//
// CakePHP™ : Rapid Development Framework (https://cakephp.org)
// Copyright © Cake Software Foundation, Inc. (https://cakefoundation.org)
//
// Licensed under The MIT License
// Redistributions of files must retain the above copyright notice.
//
// @copyright Copyright © Cake Software Foundation, Inc. (https://cakefoundation.org)
// @link https://cakephp.org
// @since CakePHP™ v 0.2.9
// @license https://opensource.org/licenses/mit-license.php MIT License
// ±-------------------------------------------------------------------------------------------+ //
////////////////////////////////////////////////////////////////////////////////////////////////////
3.8.6

it turns out the version matches

Okay, I’ve got 3.8.9 here, and I see no substantive code changes in the HTML helper between 3.8.6 and 3.8.9, so I can safely use my own install to test with. Looking at the code, postButton is indeed quite simple, and makes no reference of CSRF at all. postLink does, but maybe it’s not what you want.

In your original post, there is just bare “Delete Record” twice. Was that meant to have HTML wrapped around it? If so, the formatting was not right. That’s keeping me from seeing whether what you’re expecting is what you think you’re expecting. The documentation for postButton, for example, indicates that it will add some _Token fields, but those are related to the security component, not CSRF; it’s token looks different.

postLink suitable, but problems with it.
Yes, I have a lot of “Delete Record”

look here

Users list

                 <!--    <?= $this->Form->postButton('delete', ['controller' => 'Users', 'action' => 'deleteUser', $user->id]) ?> -->
                </td>
            </tr>
            <?php endforeach; ?>
        <tbody>
    </table>
</section>

![image|690x387](upload://c9na0pf4MgdAMc9jDLQSKFfz6MI.png) 

it is screenshot

That didn’t come through either. Use the “</>” tool in the post editor to mark your code as code and prevent the site from trying to render it as actual HTML.

        <tbody>
            <?php foreach ($users as $user): ?>
            <tr>
                <td><?= $user->username ?> </td>
                <td><?= $user->password ?> </td>
                <td><?= $user->role; ?>    </td>
                <td><?= $user->creted; ?>  </td>
                <td><?= $user->midified; ?></td>
                <td>               
                    <?= $this->Form->postLink(
                        'Delete',
                        ['action' => 'deleteUser', $user->id],
                        ['confirm' => 'Are you sure?'])
                    ?>    
                    
                 <!--    <?= $this->Form->postButton('delete', ['controller' => 'Users', 'action' => 'deleteUser', $user->id]) ?> -->
                </td>
            </tr>
            <?php endforeach; ?>
        <tbody>

CSRF token mismatch.Cake\Http\Exception\InvalidCsrfTokenException

what is there to change? I already did not try. It does not display the CSRF token. They are not here.

Okay, let me write this out more explicitly, since my meaning is apparently being lost somewhere. Your original post said this:

The manual doesn’t say it’ll “turn out Delete Record”, it has a bunch of HTML around that. So, all of what you’re expecting to see has been removed from the post. As a result of that, we don’t know what you’re actually expecting. We also don’t know what you are seeing in the HTML generated by your code, because that also just got rendered here as “Delete Record”.

Now, when I read the documentation for postButton, it doesn’t say anything at all about CSRF tokens. But, because of the formatting of your post, I don’t know whether what I’m looking at is what you’re looking at. Maybe you are seeing what I’m seeing and misreading it. It mentions the _Token fields, for example, but those are NOT CSRF tokens, they are form security tokens. Or maybe you’re reading something else. Without any of that context, it’s really hard to help you.

This is what I’m trying to get from you. I’ve already said that postButton doesn’t give CSRF tokens. That doesn’t appear to be enough for you. But you haven’t given us enough other information to work with, so we can’t solve your problem yet.

it is controller code

public function users()
{        
    // $token = json_encode($this->request->getParam('_csrfToken'));
    $users = $this->Users->find('all');
    $this->set(compact('users'));
    // $this->set(compact('users', 'token'));
}

it is view code

        <tbody>
            <?php foreach ($users as $user): ?>
            <tr>
                <td><?= $user->username ?> </td>
                <td><?= $user->password ?> </td>
                <td><?= $user->role; ?>    </td>
                <td><?= $user->creted; ?>  </td>
                <td><?= $user->midified; ?></td>
                <td>               
                    <?= $this->Form->postLink(
                        'Delete',
                        ['action' => 'deleteUser', $user->id],
                        ['confirm' => 'Are you sure?'])
                    ?>    
                    
                 <!--    <?= $this->Form->postButton('delete', ['controller' => 'Users', 'action' => 'deleteUser', $user->id]) ?> -->
                </td>
            </tr>
            <?php endforeach; ?>
        <tbody>

As a result, it gives an error

CSRF token mismatch.Cake\Http\Exception\InvalidCsrfTokenException

How can I fix this error?
What information should I give you?

it is logs

2020-05-06 17:42:55 Error: [Cake\Http\Exception\InvalidCsrfTokenException] CSRF token mismatch. (C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Middleware\CsrfProtectionMiddleware.php:231)
#0 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Middleware\CsrfProtectionMiddleware.php(151): Cake\Http\Middleware\CsrfProtectionMiddleware->_validateToken(Object(Cake\Http\ServerRequest))
#1 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Middleware\CsrfProtectionMiddleware.php(121): Cake\Http\Middleware\CsrfProtectionMiddleware->_validateAndUnsetTokenField(Object(Cake\Http\ServerRequest))
#2 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(65): Cake\Http\Middleware\CsrfProtectionMiddleware->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response), Object(Cake\Http\Runner))
#3 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(51): Cake\Http\Runner->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#4 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Routing\Middleware\RoutingMiddleware.php(168): Cake\Http\Runner->run(Object(Cake\Http\MiddlewareQueue), Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#5 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(65): Cake\Routing\Middleware\RoutingMiddleware->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response), Object(Cake\Http\Runner))
#6 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Routing\Middleware\AssetMiddleware.php(88): Cake\Http\Runner->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#7 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(65): Cake\Routing\Middleware\AssetMiddleware->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response), Object(Cake\Http\Runner))
#8 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Error\Middleware\ErrorHandlerMiddleware.php(96): Cake\Http\Runner->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#9 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(65): Cake\Error\Middleware\ErrorHandlerMiddleware->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response), Object(Cake\Http\Runner))
#10 C:\OSPanel\domains\THC\vendor\cakephp\debug_kit\src\Middleware\DebugKitMiddleware.php(53): Cake\Http\Runner->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#11 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(65): DebugKit\Middleware\DebugKitMiddleware->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response), Object(Cake\Http\Runner))
#12 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Runner.php(51): Cake\Http\Runner->__invoke(Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#13 C:\OSPanel\domains\THC\vendor\cakephp\cakephp\src\Http\Server.php(97): Cake\Http\Runner->run(Object(Cake\Http\MiddlewareQueue), Object(Cake\Http\ServerRequest), Object(Cake\Http\Response))
#14 C:\OSPanel\domains\THC\webroot\index.php(40): Cake\Http\Server->run()
#15 {main}
Request URL: /admin/delete-user/12
Referer URL: http://thc:81/admin/users

I decided! The problem was with routing. By default, all routes are closed for me and I forgot to add to routes.php /delete-user/*

This caused an error.

Thank you for your time. Your hard work. )