Mac1 Posted August 29, 2020 Posted August 29, 2020 (edited) After updating core to 4.5 my own custom app has problems. In ACP, in my ACPs app modules, when i put some &request to URL there appears an CSRF error. For example: admin/?app=something&module=main&controller=something - works good admin/?app=something&module=main&controller=something&request=1 - appears CSRF error It appears only to my own app which im now creating and after updating IPS to 4.5. Before IPS update it was working like a charm.. I have tried: Rebuilding an app Clearing cache Creating new theme / using default theme Restarted php/nginx Tried to find errors in my app Tried to update today IPS to 4.5.1 and problem still exists. I have seen in IPS 4.5 there is no &addsess in ACP URIs but probably that's not a reason Edited August 29, 2020 by Mac1
Adriano Faria Posted August 29, 2020 Posted August 29, 2020 You have to add this to your Admin CP controllers: public static $csrfProtected = TRUE; That’s because they removed the session ID from ACP URLs. Mac1 1
Mac1 Posted August 29, 2020 Author Posted August 29, 2020 5 minutes ago, Adriano Faria said: You have to add this to your Admin CP controllers: public static $csrfProtected = TRUE; That’s because they removed the session ID from ACP URLs. Thank you very much!
Adriano Faria Posted August 29, 2020 Posted August 29, 2020 (edited) By the way, that’s not all. You’ll have to add the CSRF checking in all your links for the same matter, otherwise anyone that knows URLs from your ACP controllers will be able to “execute” them. So in your links and buttons, add: \IPS\Http\Url::internal( "app... ...&do=something”)->csrf(); Then on something(), you start with: \IPS\Session::i()->csrfCheck(); confirmedDelete() should be used you try to delete something and used the data-confirm in links or 'data' => array( 'delete' => '' ) in buttons . Take a look in any official app ACP controllers. Edited August 29, 2020 by Adriano Faria
Stuart Silvester Posted August 29, 2020 Posted August 29, 2020 Have a read of this document, it covers the CSRF protection requirements
Recommended Posts