Basically I got this problem after SUPEE 7405 update. Whenever I add something to the cart and then click remove item in the AJAX cart, it tells me "Cannot remove the item."
I have to refresh the page and then the item successfully removes.
Basically adding and then instantly removing item=Doesnt work., I need to add, refresh page (or go the other page of site) and then click remove, item will be removed.
I noticed that patch overrode:
app/code/core/Mage/Checkout/controllers/CartController.php
/** * Delete shoping cart item action */ public function deleteAction() { $id = (int) $this->getRequest()->getParam('id'); if ($id) { try { $this->_getCart()->removeItem($id) ->save(); } catch (Exception $e) { $this->_getSession()->addError($this->__('Cannot remove the item.')); Mage::logException($e); } } $this->_redirectReferer(Mage::getUrl('*/*')); }
The code ABOVE is the code Before patch. Below is the code AFTER patch.
/** * Delete shoping cart item action */ public function deleteAction() { if ($this->_validateFormKey()) { $id = (int)$this->getRequest()->getParam('id'); if ($id) { try { $this->_getCart()->removeItem($id) ->save(); } catch (Exception $e) { $this->_getSession()->addError($this->__('Cannot remove the item.')); Mage::logException($e); } } } else { $this->_getSession()->addError($this->__('Cannot remove the item.')); } $this->_redirectReferer(Mage::getUrl('*/*')); }
Any help?
If this is anything like the SUPEE-6788 patch, then the following line is the tell
if ($this->_validateFormKey()) {
and your custom AJAX shopping cart extension needs to be patched to work with formkeys.
Usually this is something as simple as repairing the problematic template .phtml file by adding a hidden form element to pass the formkey upon any cart action.
You might try contacting the developer for the cart extension to see if they've already addressed the issue.
What if simply remove the form key from the file? It should solve the problem, I wonder will it cause any security flaws ?
Solving the issue by removing the patch reopens the following security issue. Your decision, your customers
CSRF Delete Items from Cart - APPSEC-1212
Type: | Cross-site Request Forgery (CSRF) |
CVSSv3 Severity: | 4.3 (Medium) |
Known Attacks: | None |
Description: | Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart. |
Product(s) Affected: | Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1 |
Fixed In: | CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1 |
Reporter: | Shabad Shashidar Reddy |
And the answer to wondering if it will cause any security flaws is always YES, they did the change for a reason.
Hi!
I got same issue you need to find this file in your template or base folder
/template/checkout/cart/item/default.phtml
Find <a href="<?php echo $this->getDeleteUrl() ?>" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Remove Item')) ?>" class="btn-remove btn-remove2"><?php echo $this->__('Remove Item') ?></a>
Replace with
<a href="<?php echo $this->getDeleteUrl() ?>form_key/<?php echo $formKey = Mage::getSingleton('core/session')->getFormKey();?>" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Remove Item')) ?>" class="btn-remove btn-remove2"><?php echo $this->__('Remove Item') ?></a>
This did not work for me, with changes applied it shows the form key in url for delete button. However, my other ajax flycart without this change still works just fine. Could I be experiencing a js conflict since it has both of the same action on the same page?
javascript:ajaxcartConfig.deleteItem('http://www.***.com/checkout/cart/delete/id/3839/')form_key/aMN11vrvpZ7r3Ybj
doesn't work
javascript:ajaxcartConfig.deleteItem('http://www.***.com/checkout/cart/delete/id/3839/')
works (ajax flycart only)
weird right?
My updated code:
<td class="a-center"><a href="<?php echo $this->getDeleteUrl()?>form_key/<?php echo $formKey = Mage::getSingleton('core/session')->getFormKey();?>" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Remove Item')) ?>" class="btn-remove btn-remove2"><?php echo $this->__('Remove item')?></a></td>
Can't narrow down as to where the delete button is getting called from on flycart (looks like same button but can't find individual code).
Hi,
Had the same issue.
Have you Disable Magento Compilation?
Disable Magento Compilation, Clear Cache, Reindexed fixed mine.
Thank you
Magento Compilation stays disabled and I have cleared cache and re-indexed. same issues. I can only clear the entire cart. I noticed when I do delete from my minicart it just says it does, but it's still there and the actual trash can icons do nothing at all. It's been quite confusing for me.
@advanceduzer Thank you very much! This worked perfectly.
Also, this cart issue hasn't occurred on my other similar magento setup (same extensions, themes etc.).
I wonder what is the root cause of this issue?
I'm still having issues. On the Ajax side without form_keys in url it declares the item was removed but, the item remained in the cart.
I get this JS error in relation to this action:
Error: TypeError: ajaxcartConfig is null
Source File: javascript:ajaxcartConfig.deleteItem('http://www.***.com/checkout/cart/delete/id/5063/')
Line: 1
In shopping cart with form_key:
Error: SyntaxError: missing ; before statement
Source File: javascript:ajaxcartConfig.deleteItem('http://www.***.com/checkout/cart/delete/id/5063/')form_key/OjH9hLidJtdk793J
Line: 1, Column: 82
Source Code:
tem('http://www.***.com/checkout/cart/delete/id/5063/')form_key/OjH9hLidJtdk793J
This happens only in FireFox. In Chromium, The actual cart page does not remove the item but when I am on any other page with the minicart the item removes successfully with the action being : javascript:ajaxcartConfig.deleteItem('http://www.***.com/checkout/cart/delete/id/5065/')
Any ideas?