Jump to content

Is manual CSRF required for `\IPS\Node\Model` subclasses?


Go to solution Solved by MrFisc,

Recommended Posts

I use `\IPS\Node\Model` to manage some things in my application, yet any time I save the form I get a CSRF error. I looked into the Security Considerations documentation and it only mentions that calling `$form->values()` will automatically handle CSRF, but it also only explains how to use CSRF for URLs, which aren't used with `\IPS\Node\Model` subclasses. The nodes example also doesn't mention anything about CSRF.

Link to comment
Share on other sites

3 minutes ago, Adriano Faria said:

I've read that too. It's still totally unclear what I need to do with my node subclass. Do I just add the `public static $csrfProtected = TRUE;` to the top of the class? Do i need to add `\IPS\Session::i()->csrfCheck();` to the `saveForm` function? But that doesn't make any sense, since it's using the `\IPS\Helpers\Form` class and not creating my own URL (so i can't use `->csrf()` on any URLs). I assume it's calling `$form->values()` before calling `saveForm`?

Link to comment
Share on other sites

  • Solution
3 hours ago, bfarber said:

You don't need to add that property to a model class. It should be added to your controller class.

Generally speaking you shouldn't be handling CSRF checks within your model at all.

I figured it out. My confusion was around the `csrfProtected` property.

I needed to add it to any Controller that uses the Node due to the nodes reliance on an `\IPS\Helpers\Form`.

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...