Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-20790

Possible inconsistency between doc and the way CSRF works, notably between 5 stack and LS

    Details

      Description

      There might be an inconsistency between the documentation and the way CSRF works, notably with legacy. This question details the issue:
      http://stackoverflow.com/questions/16216134/symfony-2-form-in-ez-publish-5-csrf-intuition

      (doc link pointed to from the question: https://confluence.ez.no/display/EZP/Legacy+configuration+injection#Legacyconfigurationinjection-eZFormToken(CSRF)integration )

      Cheers,

        Issue Links

          Activity

          Hide
          André Rømcke added a comment - - edited

          Possible issue here is that ezpKernelWeb now has this in requestInit():
          >> ezpEvent::getInstance()->notify( 'request/input', array( $this->uri ) );

          However that means form tokens are checked when runCallback is used, while we only want it to be checked on run() afaik.

          Show
          André Rømcke added a comment - - edited Possible issue here is that ezpKernelWeb now has this in requestInit(): >> ezpEvent::getInstance()->notify( 'request/input', array( $this->uri ) ); However that means form tokens are checked when runCallback is used, while we only want it to be checked on run() afaik .

            People

            • Assignee:
              Unassigned
              Reporter:
              Nicolas Pastorino (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: