I use `\IPS\Node\Model` to manage some things in my application, yet any time I save the form I get a CSRF error. I looked into the Security Considerations documentation and it only mentions that calling `$form->values()` will automatically handle CSRF, but it also only explains how to use CSRF for URLs, which aren't used with `\IPS\Node\Model` subclasses. The nodes example also doesn't mention anything about CSRF.

https://invisioncommunity.com/forums/topic/457797-protecting-the-acp-controllers/

3 minutes ago, Adriano Faria said:

https://invisioncommunity.com/forums/topic/457797-protecting-the-acp-controllers/

I've read that too. It's still totally unclear what I need to do with my node subclass. Do I just add the `public static $csrfProtected = TRUE;` to the top of the class? Do i need to add `\IPS\Session::i()->csrfCheck();` to the `saveForm` function? But that doesn't make any sense, since it's using the `\IPS\Helpers\Form` class and not creating my own URL (so i can't use `->csrf()` on any URLs). I assume it's calling `$form->values()` before calling `saveForm`?

You don't need to add that property to a model class. It should be added to your controller class.

Generally speaking you shouldn't be handling CSRF checks within your model at all.

On 9/3/2020 at 11:25 AM, Adriano Faria said:

https://invisioncommunity.com/forums/topic/457797-protecting-the-acp-controllers/

What do I need to do to get access to this forum?

Be a Contributor here.

3 hours ago, bfarber said:

You don't need to add that property to a model class. It should be added to your controller class.

Generally speaking you shouldn't be handling CSRF checks within your model at all.

I figured it out. My confusion was around the `csrfProtected` property.

I needed to add it to any Controller that uses the Node due to the nodes reliance on an `\IPS\Helpers\Form`.