Adriano Faria Posted July 4, 2020 Share Posted July 4, 2020 Can you please add: /** * @brief Has been CSRF-protected */ public static $csrfProtected = TRUE; to the files "templates" in applications/core/data/defaults: ControllerBlank.txt ControllerList.txt ControllerNode.txt when the location is admin. Thank you. TDBF 1 Link to comment Share on other sites More sharing options...
Solution bfarber Posted July 6, 2020 Solution Share Posted July 6, 2020 We made an intentional decision not to do that, because we outright want a developer creating a new controller to explicitly review and ensure they've implemented CSRF protections. I'm afraid this change is unlikely, at least in the immediate future. Link to comment Share on other sites More sharing options...
All Astronauts Posted July 6, 2020 Share Posted July 6, 2020 Sonya* 1 Link to comment Share on other sites More sharing options...
Adriano Faria Posted July 6, 2020 Author Share Posted July 6, 2020 (edited) 14 minutes ago, bfarber said: We made an intentional decision not to do that, because we outright want a developer creating a new controller to explicitly review and ensure they've implemented CSRF protections. The error will anyway if I don't add it due to this in the admin dispatcher: /* Unless there is a flag telling us we have specifically added CSRF checks, assume any AdminCP action which contains more than app/module/controller/id (i.e. anything with "do") requires CSRF-protection */ if ( !isset( $this->classname::$csrfProtected ) and array_diff( array_keys( \IPS\Request::i()->url()->queryString ), array( 'app', 'module', 'controller', 'id' ) ) ) { \IPS\Session::i()->csrfCheck(); } Edited July 6, 2020 by Adriano Faria Link to comment Share on other sites More sharing options...
Recommended Posts