The other day I was trying to help someone create a Form in the admin side of Magento that would simply POST to a Controller and capture some data. I thought it’d be fairly simple, I’ve done it before; I thought.

Turns out I had done it before, but I’ve always used the built in Magento Form widgets, never specified a custom .phtml template and actually tried to write the Form code by hand. It’s a little more tricky than I anticipated, but we struggled through it and finally found the catch.

The “catch”, as it were, is that you have to send a hidden “form_key”. This lets Magento know that you are who you say you are and not some spoofer posting malicious code to your backend.  Let’s get started.

Let’s presume that I’ve got a Module Spinonesolutions_Helloworld in it I’m going to make a block:

/app/code/local/Spinonesolutions/Helloworld/Block/Adminhtml/Adminform.php

class Spinonesolutions_Helloworld_Block_Adminhtml_Adminform extends Mage_Adminhtml_Block_Template {
public function __construct() {
    parent::__construct();
    $this->setTemplate('helloworld/form.phtml');
    $this->setFormAction(Mage::getUrl('*/*/new'));
  }
}

It’s easily seen that I’m referencing a .phtml template within my Block for the presentation so let’s make that file as well:

/app/design/adminhtml/default/default/template/hellworld/form.phtml

<form action="<? echo $this->getFormAction(); ?>" method="POST">
<input type="text" id="var1" name="var1" />
<input type="submit" id="submit" name="submit" />
</form>

Lastly we need a Controller to handle the POST and to render our Block:

/app/code/local/Spinonesolutions/Helloworld/controllers/Adminhtml/AdminformController.php

class Spinonesolutions_Helloworld_Adminhtml_AdminformController extends Mage_Adminhtml_Controller_Action {

public function indexAction() {
  $this->loadLayout();
  $block = $this->getLayout()->createBlock('spinonesolutions_helloworld/adminhtml_adminform','admin_form');
  $this->getLayout()->getBlock('content')->append($block);
  $this->renderLayout();
}

public function newAction() {
  die('here I am!');
}
}

OK, that’s it for the architecture.  Let’s wire it all up with some XML in config.xml.  Note this is partial, not a full module definition:

<blocks>
<spinonesolutions_helloworld>
<class>Spinonesolutions_Helloworld_Block</class>
</spinonesolutions_helloworld>
</blocks>
<admin>
<routers>

<adminhtml>
<args>
<modules>
<Spinonesolutions_Helloworld before="Mage_Adminhtml">Spinonesolutions_Helloworld_Adminhtml</Spinonesolutions_Helloworld>
</modules>
</args>
</adminhtml>
</routers>
</admin>

Now, if you visit */admin/adminform/index you should see your super simple Form.  If you hit submit your Form will certainly post, but instead of seeing the die output you’ll be redirected to the Dashboard.  This because we haven’t sent through the authentication required by Magento’s internal routing system that will validate our form.  Let’s change form.phtml so that we can POST successfully.

<form action="<? echo $this->getFormAction(); ?>" method="POST">
<input type="hidden" name="form_key" value="<? echo $this->getFormKey(); ?>" />
<input type="text" id="var1" name="var1" />
<input type="submit" id="submit" name="submit" />
</form>

That’s all there is to it!  Notice the “form_key” hidden variable.  That’s the key to submitting Forms in the Magento admin.

Admin, Form, Magento, Post