CSRF protection does not work for methods that contain upper case characters
I'm trying to protect all methods of certain controllers with following policy rule:
resources: methods: F3_BccVoting_RestrictedControllers: 'class(F3\BccVoting\Controller\(Circular|Elector|Electorate)Controller)'
For some reason the
FLOW3-CSRF-TOKEN is not attached to links pointing to
F3\BccVoting\Controller\Elector::deleteAll(). When clicking the link, the "You are not allowed to perform this action." exception though.
The problem is probably, that the policy service does not detect the method in the CsrfProtectionAspect because it is lowercased somewhere.