Adriano Faria Posted July 4, 2020 Posted July 4, 2020 Can you please add: /** * @brief Has been CSRF-protected */ public static $csrfProtected = TRUE; to the files "templates" in applications/core/data/defaults: ControllerBlank.txt ControllerList.txt ControllerNode.txt when the location is admin. Thank you. TDBF 1
Solution bfarber Posted July 6, 2020 Solution Posted July 6, 2020 We made an intentional decision not to do that, because we outright want a developer creating a new controller to explicitly review and ensure they've implemented CSRF protections. I'm afraid this change is unlikely, at least in the immediate future.
Adriano Faria Posted July 6, 2020 Author Posted July 6, 2020 (edited) 14 minutes ago, bfarber said: We made an intentional decision not to do that, because we outright want a developer creating a new controller to explicitly review and ensure they've implemented CSRF protections. The error will anyway if I don't add it due to this in the admin dispatcher: /* Unless there is a flag telling us we have specifically added CSRF checks, assume any AdminCP action which contains more than app/module/controller/id (i.e. anything with "do") requires CSRF-protection */ if ( !isset( $this->classname::$csrfProtected ) and array_diff( array_keys( \IPS\Request::i()->url()->queryString ), array( 'app', 'module', 'controller', 'id' ) ) ) { \IPS\Session::i()->csrfCheck(); } Edited July 6, 2020 by Adriano Faria
Recommended Posts