Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted July 4, 20204 yr Can you please add: /** * @brief Has been CSRF-protected */ public static $csrfProtected = TRUE; to the files "templates" in applications/core/data/defaults: ControllerBlank.txt ControllerList.txt ControllerNode.txt when the location is admin. Thank you.
July 6, 20204 yr Solution We made an intentional decision not to do that, because we outright want a developer creating a new controller to explicitly review and ensure they've implemented CSRF protections. I'm afraid this change is unlikely, at least in the immediate future.
July 6, 20204 yr Author 14 minutes ago, bfarber said: We made an intentional decision not to do that, because we outright want a developer creating a new controller to explicitly review and ensure they've implemented CSRF protections. The error will anyway if I don't add it due to this in the admin dispatcher: /* Unless there is a flag telling us we have specifically added CSRF checks, assume any AdminCP action which contains more than app/module/controller/id (i.e. anything with "do") requires CSRF-protection */ if ( !isset( $this->classname::$csrfProtected ) and array_diff( array_keys( \IPS\Request::i()->url()->queryString ), array( 'app', 'module', 'controller', 'id' ) ) ) { \IPS\Session::i()->csrfCheck(); } Edited July 6, 20204 yr by Adriano Faria