Hunter Lyons Posted August 4, 2019 Posted August 4, 2019 Is there any way to use a link to join a club? That way, I can post it on social media, for example, where people will be taken to our website and (if logged in) immediately added to the Club. Clubs are very much a central feature of my site so this is critical. I tried to just do like this: https://www.argogaming.org/groups/6-indie-games-community/?do=join But it gives the following error. How can I fix or avoid this? I'd like to be able to just link people something that automatically adds them to whatever relevant club.
Hunter Lyons Posted August 7, 2019 Author Posted August 7, 2019 Bump. Alternatively, does anyone know how I can tweak the CSRF protection key setup to allow this? Not even sure what that is, but is there a setting anywhere or customization I can make?
opentype Posted August 7, 2019 Posted August 7, 2019 You can’t tweak (i.e. circumvent) the protection mechanism. And it would be bad practice to do so. Let members view the club page and then let them decide if they want to join instead of tricking them into a club membership with a certain URL.
Hunter Lyons Posted August 7, 2019 Author Posted August 7, 2019 It isn't for tricking them... I run a gaming club with about 10 sub-clubs. Fighting games, handheld games, etc. We use Discord now. When we go live with our site, I was planning on posting links in each sub-club's chat to auto-join their group. This would make transitioning super easy for people who have little to no forum experience. The other use is on my website's home page. This isn't finished, but I was going to make very aesthetic, pretty little showcases for each community. It is by no means a trick... On Discord, you can generate invite links to join groups. discord.gg/argos joins our Discord chat. My users are familiar with invite links. It'd be very easy to use terms they understand, because we're transitioning 400 users who are Discord-focused and many have likely never used forums -- we're college students. I have experience, and some others, but most don't know what a forum is, even.
Ryan Ashbrook Posted August 7, 2019 Posted August 7, 2019 As a general policy, if any user initiated action changes any sort of state on the site, then a Cross Site Request Forgery (CSRF) key is sent to verify that the user authorized the change. This is to protect against various social engineering attacks which cause the user to do something they did not intend to do. Removing those would open your site up to those types of attacks, and you would likely receive security reports at some point from security researchers pointing out CSRF vulnerabilities on your site. You can read more here: Cross-site request forgery
Hunter Lyons Posted August 7, 2019 Author Posted August 7, 2019 I understand. Seems very important to leave that as is. No idea how I'd even go about editing it, hah. Thanks for explaining. Is there any way to specifically set it up so that a CSRF is not needed just for joining a club? Clubs, on my site, are just for various recreational activities. The link is also obvious as to what is being done, e.g.:https://www.argogaming.org/groups/6-indie-games-community/?do=join It says Indie Games Community, and join; hence, I am joining the indie games community. There is no real negative outcome I can imagine from this specific case, though I may simply be unaware. If it isn't possible -- oh well, I'll just provide a link to the club page and say, if interested, click Join on your own.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.