Bypass csrf validation #232
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mzur
requested changes
Feb 25, 2023
Owner
mzur
left a comment
mzur
left a comment
There was a problem hiding this comment.
Thanks! I made suggestions for alternative method/variable names. Also, please add a test case for this. You could take the code of testValidateCsrfException(), remove the expectException() and add the new disableCsrfProtection().
| } | ||
| ``` | ||
|
|
||
| ## withoutCSRF() |
Owner
There was a problem hiding this comment.
I'd like to call this disableCsrfProtection() to make sure that you are disabling an important protection mechanism.
| * | ||
| * @var boolean | ||
| */ | ||
| protected $shouldValidateCSRF; |
Owner
There was a problem hiding this comment.
Please rename to $shouldValidateCsrfToken.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please first update mzur/kirby-form dependency with mzur/kirby-form#16
Afterwards, with this PR we should be able to bypass CSRF for headless form validation.
Also see: https://forum.getkirby.com/t/uniform-deactivate-csrf-check-for-headless-usecases/20643
Thanks! 🙌