MrFisc Posted September 3, 2020 Share Posted September 3, 2020 I use `\IPS\Node\Model` to manage some things in my application, yet any time I save the form I get a CSRF error. I looked into the Security Considerations documentation and it only mentions that calling `$form->values()` will automatically handle CSRF, but it also only explains how to use CSRF for URLs, which aren't used with `\IPS\Node\Model` subclasses. The nodes example also doesn't mention anything about CSRF. Link to comment Share on other sites More sharing options...
Adriano Faria Posted September 3, 2020 Share Posted September 3, 2020 https://invisioncommunity.com/forums/topic/457797-protecting-the-acp-controllers/ Link to comment Share on other sites More sharing options...
MrFisc Posted September 3, 2020 Author Share Posted September 3, 2020 3 minutes ago, Adriano Faria said: https://invisioncommunity.com/forums/topic/457797-protecting-the-acp-controllers/ I've read that too. It's still totally unclear what I need to do with my node subclass. Do I just add the `public static $csrfProtected = TRUE;` to the top of the class? Do i need to add `\IPS\Session::i()->csrfCheck();` to the `saveForm` function? But that doesn't make any sense, since it's using the `\IPS\Helpers\Form` class and not creating my own URL (so i can't use `->csrf()` on any URLs). I assume it's calling `$form->values()` before calling `saveForm`? Link to comment Share on other sites More sharing options...
bfarber Posted September 4, 2020 Share Posted September 4, 2020 You don't need to add that property to a model class. It should be added to your controller class. Generally speaking you shouldn't be handling CSRF checks within your model at all. Link to comment Share on other sites More sharing options...
CoffeeCake Posted September 4, 2020 Share Posted September 4, 2020 On 9/3/2020 at 11:25 AM, Adriano Faria said: https://invisioncommunity.com/forums/topic/457797-protecting-the-acp-controllers/ What do I need to do to get access to this forum? Link to comment Share on other sites More sharing options...
DawPi Posted September 4, 2020 Share Posted September 4, 2020 Be a Contributor here. Link to comment Share on other sites More sharing options...
Solution MrFisc Posted September 4, 2020 Author Solution Share Posted September 4, 2020 3 hours ago, bfarber said: You don't need to add that property to a model class. It should be added to your controller class. Generally speaking you shouldn't be handling CSRF checks within your model at all. I figured it out. My confusion was around the `csrfProtected` property. I needed to add it to any Controller that uses the Node due to the nodes reliance on an `\IPS\Helpers\Form`. Link to comment Share on other sites More sharing options...
Recommended Posts