Delete User with a link

Kasuli · August 29, 2025, 10:20am

Hello,
I created a module and want to add a trash-icon in the contact list.
I did all this, but now I need to finally run then delete-command.
When I click on my trash-icon I run this code:

 if (isset($parameters['arrayfields']['trashicon'])) {
                if ($user->rights->societe->supprimer) {
                    $url = dol_buildpath('/societe/card.php', 1).'?id='.$object->id.'&action=delete';
                    print '<td class="liste_titre">';
                    print '<a href="'.$url.'" onclick="return confirm(\''.$langs->trans("ConfirmDelete").'\')">';
                    print img_picto($langs->trans("Delete"), 'delete');
                    print '</a>';
                    print '</td>';
                } else {
                    print '<td class="liste_titre">&nbsp;</td>';
                }
            }```

All works good, but after the click I got a csrf error:

Access to this page this way (POST method or GET with a sensible value for ‘action’ parameter) is refused by CSRF protection in main.inc.php. Token not provided. If you access your server behind a proxy using url rewriting and the parameter is provided by caller, you might check that all HTTP header are propagated (or add the line $dolibarr_nocsrfcheck=1 into your conf.php file or MAIN_SECURITY_CSRF_WITH_TOKEN to 0 instead of 2 into setup).```

What’s the best way to solve the csrf problem?

br

saikatkoley · August 29, 2025, 12:47pm

Hi @Kasuli

In any POST and any GET request that contains the “action” or “massaction” with a value of a sensitive action must also a valid token parameter. That means you need the token, whatever is the value of the action. You can check newToken() function.

Thanks
Saikat Koley

Kasuli · August 30, 2025, 6:34pm

Hey,

okay Great.
But how should I use it?
Just use this in class and set the token to the url?

saikatkoley · August 31, 2025, 1:27pm

@Kasuli

Check the Dolibarr code in other areas. You will get a clue. Also, when you reply, please tag the person so he/she will get a notification.

Thanks
Saikat Koley

Kasuli · September 12, 2025, 7:04am

Nice I did it, thanks!
But now, after I added it, the column looks weird.
The List Column and the new column in the Table works but the filter column don’t match to the right order.

<?php
/**
 * Actions class for SearchBar module
 */

class ActionsSearchBar
{
    /**
     * @var DoliDB Database handler
     */
    public $db;

    /**
     * @var array Errors
     */
    public $errors = array();

    /**
     * @var array Results
     */
    public $results = array();

    /**
     * @var string Resprints
     */
    public $resprints = '';

    /**
     * @var int Error
     */
    public $error = 0;

    /**
     * @var bool SearchBar printed flag
     */
    public $searchBarPrinted = false;

    /**
     * Constructor
     * @param DoliDB $db Database handler
     */
    public function __construct($db)
    {
        $this->db = $db;
    }

    /**
     * Hook for print field list where
     *
     * @param   array()         $parameters     Hook metadatas (context, etc...)
     * @param   CommonObject    &$object        The object to process
     * @param   string          &$action        Current action (if set). Generally create or edit or null
     * @param   HookManager     $hookmanager    Hook manager propagated to allow calling another hook
     * @return  int                             < 0 on error, 0 on success, 1 to replace standard code
     */
    public function printFieldListWhere($parameters, &$object, &$action, $hookmanager)
    {


     
        global $conf, $langs;

        $error = 0; // Error counter
     

        if (!$error) {
            print($searchBarHtml);
            error_log("SearchBar Hook: Success, HTML length: " . strlen($searchBarHtml));
            
            // Mark as printed to prevent duplicates
            $this->searchBarPrinted = true;
            var_dump("OK");

            return 0; // Success
        } else {

            $this->errors[] = 'Error in searchbar hook';
            error_log("SearchBar Hook: Error occurred");
            return -1; // Error
        }
    }


    function printFieldListOption($parameters, &$object, &$action, $hookmanager)
    {

   



        global $langs;
        $context = explode(':', $parameters['context']);
        //var_dump($context);

       if (in_array('contactlist', $context)) {
            // Die Spalte korrekt in arrayfields registrieren
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 20,
                'help'     => '',
                'searchable' => 1,
                'sortable' => 1
            );
        }

        
        return 0;
    }

    /**
     * Spaltentitel
     **/

    function printFieldListTitle($parameters, &$object, &$action, $hookmanager)
    {
        global $langs, $user;
        
        // Prüfen ob Kontext die Contact-Liste ist
        if (strpos($parameters['context'], 'contactlist') !== false) {
            // Die Spalte auch hier setzen, da Parameter nicht zwischen Funktionen weitergegeben werden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 20,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
            
            // Debug: Ausgabe der Parameter
            
            // Prüfen ob unsere trashicon-Spalte existiert
            if (isset($parameters['arrayfields']['trashicon'])) {
                print '<th class="liste_titre">'.$langs->trans("Delete").'</th>';
            }
        }
        
        return 0;
    }

    /** 
     * Zelleninhalt (Icon pro Zeile)
     **/
    function printFieldListValue($parameters, &$object, &$action, $hookmanager)
    {
        global $langs, $user;

        $context = explode(':', $parameters['context']);

        if (in_array('contactlist', $context)) {
            // Die Spalte auch hier setzen, da Parameter nicht zwischen Funktionen weitergegeben werden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 20,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
            
            // Prüfen ob unsere trashicon-Spalte existiert
            if (isset($parameters['arrayfields']['trashicon'])) {
                if ($user->rights->societe->supprimer) {
                   // $url = dol_buildpath('/societe/card.php', 1).'?id='.$object->id.'&action=delete';
                    $url = '/contact/card.php?action=delete&token='.newToken().'&id='.$object->id;

                    print '<td class="liste_titre">';
                    print '<a href="'.$url.'">';
                    print img_picto($langs->trans("Delete"), 'delete');
                    print '</a>';
                    print '</td>';
                } else {
                    print '<td class="liste_titre">&nbsp;</td>';
                }
            }
        }
        return 0;
    }
    
} ```

Kasuli · September 19, 2025, 10:15am

Hey again, I changed it a bit but the column order dont work and I dont have the Delete button in the DropDown for selecting or deselecting columns I want to see in the lists:

<?php
/**
 * Actions class for SearchBar module
 */

class ActionsBarig
{
    /**
     * @var DoliDB Database handler
     */
    public $db;

    /**
     * @var array Errors
     */
    public $errors = array();

    /**
     * @var array Results
     */
    public $results = array();

    /**
     * @var string Resprints
     */
    public $resprints = '';

    /**
     * @var int Error
     */
    public $error = 0;

    /**
     * @var bool SearchBar printed flag
     */
    public $searchBarPrinted = false;

    /**
     * Constructor
     * @param DoliDB $db Database handler
     */
    public function __construct($db)
    {
        $this->db = $db;
    }






    /**
     * Hook for print field list where
     *
     * @param   array()         $parameters     Hook metadatas (context, etc...)
     * @param   CommonObject    &$object        The object to process
     * @param   string          &$action        Current action (if set). Generally create or edit or null
     * @param   HookManager     $hookmanager    Hook manager propagated to allow calling another hook
     * @return  int                             < 0 on error, 0 on success, 1 to replace standard code
     */
    public function printFieldListWhere($parameters, &$object, &$action, $hookmanager)
    {


     
        global $conf, $langs;

        $error = 0; // Error counter
     

        if (!$error) {
             
            // Mark as printed to prevent duplicates
            $this->searchBarPrinted = true;
            var_dump("OK");

            return 0; // Success
        } else {

            $this->errors[] = 'Error in searchbar hook';
            error_log("SearchBar Hook: Error occurred");
            return -1; // Error
        }
    }


    function printFieldListOption($parameters, &$object, &$action, $hookmanager)
    {

   



        global $langs;
        $context = explode(':', $parameters['context']);
        //var_dump($context);

       if (in_array('contactlist', $context)) {
            // Die Spalte korrekt in arrayfields registrieren
            // Hier kannst du 'checked' => 0 setzen, um die Spalte standardmäßig auszublenden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1, // 0 = ausgeblendet, 1 = eingeblendet
                'enabled'  => 1,
                'position' => 5,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
        }

               if (in_array('thirdpartylist', $context)) {
            // Die Spalte korrekt in arrayfields registrieren
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 5,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
        }

        
        return 0;
    }

    /**
     * Spaltentitel
     **/

    function printFieldListTitle($parameters, &$object, &$action, $hookmanager)
    {
        global $langs, $user;
        
        $context = explode(':', $parameters['context']);
        
        // Prüfen ob Kontext die Contact-Liste ist
        if (in_array('contactlist', $context)) {
            // Die Spalte auch hier setzen, da Parameter nicht zwischen Funktionen weitergegeben werden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 5,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
            
            // Prüfen ob unsere trashicon-Spalte existiert
            if (isset($parameters['arrayfields']['trashicon'])) {
                print '<th class="liste_titre">'.$langs->trans("Delete").'</th>';
            }
        }

        // Prüfen ob Kontext die Thirdparty-Liste ist
        if (in_array('thirdpartylist', $context)) {
            // Die Spalte auch hier setzen, da Parameter nicht zwischen Funktionen weitergegeben werden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 5,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
            
            // Prüfen ob unsere trashicon-Spalte existiert
            if (isset($parameters['arrayfields']['trashicon'])) {
                print '<th class="liste_titre">'.$langs->trans("Delete").'</th>';
            }
        }
        
        return 0;
    }

    /** 
     * Zelleninhalt (Icon pro Zeile)
     **/
    function printFieldListValue($parameters, &$object, &$action, $hookmanager)
    {
        global $langs, $user;

        $context = explode(':', $parameters['context']);



        if (in_array('contactlist', $context)) {
            // Die Spalte auch hier setzen, da Parameter nicht zwischen Funktionen weitergegeben werden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 5,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
            
            // Prüfen ob unsere trashicon-Spalte existiert
            if (isset($parameters['arrayfields']['trashicon'])) {
                if ($user->rights->societe->supprimer) {
                   // $url = dol_buildpath('/societe/card.php', 1).'?id='.$object->id.'&action=delete';
                    $url = '/contact/card.php?action=delete&token='.newToken().'&id='.$object->id;

                    print '<td class="liste_titre">';
                    print '<a href="'.$url.'">';
                    print img_picto($langs->trans("Delete"), 'delete');
                    print '</a>';
                    print '</td>';
                } else {
                    print '<td class="liste_titre">&nbsp;</td>';
                }

                
            }
        }


        if (in_array('thirdpartylist', $context)) {
            // Die Spalte auch hier setzen, da Parameter nicht zwischen Funktionen weitergegeben werden
            $parameters['arrayfields']['trashicon'] = array(
                'label'    => "Delete",
                'checked'  => 1,
                'enabled'  => 1,
                'position' => 5,
                'help'     => '',
                'searchable' => 0,
                'sortable' => 0
            );
            
            // Prüfen ob unsere trashicon-Spalte existiert
            if (isset($parameters['arrayfields']['trashicon'])) {
                if ($user->rights->societe->supprimer) {
                    $url_yes = dol_buildpath('/societe/card.php', 1).'?socid='.$object->id.'&action=confirm_delete&confirm=yes&token='.newToken();
                    $url_no = dol_buildpath('/societe/card.php', 1).'?socid='.$object->id.'&action=delete&delete_confirm=no&token='.newToken();
                    
                    print '<td class="liste_titre">';
                    print '<a href="#" onclick="showDeleteConfirm(\''.$url_yes.'\', \''.$url_no.'\', \''.$langs->trans("").'\'); return false;">';
                    print img_picto($langs->trans("Delete"), 'delete');
                    print '</a>';
                    print '</td>';
                    
                    // Include JavaScript only once
                    static $js_included = false;
                    if (!$js_included) {
                        print '<script src="'.DOL_URL_ROOT.'/custom/barig/js/barig_delete.js"></script>';
                        $js_included = true;
                    }
                } else {
                    print '<td class="liste_titre">&nbsp;</td>';
                }
            }
        }
        return 0;
    }
    
}