We are are adding a separate tab to invoice plane to keep track of employees and have included a section where the employees can upload profile pictures. This feature was working correctly in version 1.4, however when we updated to version 1.5, we are getting a 403 error when we try to upload photos. So far, we have changed the permission to read and write for all users and changed the .htaccess to Allow from all. Does anyone have any suggestions for how we should resolve this issue?
There is a known bug with POST requests that do no explicitly declare a CSRF token: InvoicePlane 1.5.3 Saving Settings Error
That might be related.
Possible temporary solutions:
- Consider disabling
httpOnly
as shown in the link.
or - Append a hidden input to your uploading form:
<input type="hidden" name="_ip_csrf" value="<?= $this->security->get_csrf_hash(); ?>">
Thanks for your reply. I have tried both temporary solutions, but I am still getting a 403 error. Is there anything else that you know of that could cause this?
No.
The solutions above should work in most cases.
You developped your own custom snippet, so our helping scope is limited.
Those 403 Error status codes, if not related to a script, are usually related with folder permissions (you might need chmod 777
) or Apache configuration (check .htaccess
and/or your vhosts).